Performing Pass-the-Hash Attacks with Mimikatz

Performing Pass-the-Hash Attacks with Mimikatz

Attack #4: Pass-the-Hash with Mimikatz

In my previous post, we learned how to extract password hashes for all domain accounts from the Ntds.dit file. In this post, we’re going to see what you can do with those hashes once you have them. Mimikatz has become the standard tool for extracting passwords and hashes from memory, performing pass-the-hash attacks and creating domain persistence through Golden Tickets. Mimikatz can be executed in a variety of ways to evade detection, including entirely in memory as part of the Invoke-Mimikatz command within PowerSploit. Let’s take a look at how easy Mimikatz makes it to pass-the-hash and perform other authentication-based attacks.


With the hash from the Ntds.dit file in hand, let’s look at how easily Mimikatz can enable us to perform actions on behalf of the Administrator account within the domain.

First, I will log into my computer as the user Adam, who has no special privileges within the domain:

Showing group membership for the logged in user, which contains no domain groups.

As Adam, if I try to execute PSExec, a tool for remote PowerShell execution, against my domain controller I receive an access denied message.

By issuing a command with Mimikatz, I can elevate my account to that of the Domain Administrator account. This will launch whatever process you specify with this elevated token. In this case, I will launch a new command prompt.

Executing Mimikatz and issuing a pass-the-hash command to launch a command prompt as a privileged user account.

With the newly launched command prompt I can perform activities as Jeff, the Domain Administrator, while Windows still thinks I am Adam. Here you can see I am now able to launch the PSExec session and enumerate the contents of my domain controller’s NTDS directory using the Pass-the-Hash technique.

Using Mimikatz and pass-the-hash to launch a successful PSexec session as an elevated user against a remote domain controller.

With the Ntds.dit file decrypted, every user’s password hash is in my control so I can perform actions on behalf of any user just as easily. This is a scary way to not only gain unlimited access but to cover my tracks and blend in as though I am the users who I am impersonating.

Protecting Against Pass-the-Hash

Pass-the-Hash is difficult to prevent, but Windows has introduced several new features to make it harder to execute. The most effective approach is to implement logon restrictions so your privileged account hashes are never stored where they can be extracted. Microsoft provides best practices to follow a tiered administrative model for Active Directory that ensures privileged accounts will be significantly harder to compromise using such methods. Enabling LSA Protection, leveraging the Protected Users security group, and using Restricted Admin mode for Remote Desktop are some other ways in which you can protect against these attacks.

In addition to proper upfront security, monitoring authentication and logon activity for abnormalities can expose any attempts to leverage these attack paths. Many times, these attacks follow patterns and result in accounts being used in ways that are not normal. Being alerted to this as it occurs can detect an attack before it is too late.

This is the final installment in our blog series, 4 Active Directory Attacks and How to Protect Against Them. To view the previous blogs, please click on the links below.

To watch the AD Attacks webinar, please click here.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Jeff Warren is STEALTHbits’ Vice President of Product Management. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.

With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions.

Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.

5 thoughts on “Performing Pass-the-Hash Attacks with Mimikatz

  1. Pardon my newbie question:

    With regards to the statement:
    ‘By issuing a command with Mimikatz, I can elevate my account to that of the Domain Administrator account.’

    The /ntlm:xxx hash you are providing in the command – whereis this obtained? Is this the local hash of the client admin user account? Or is Jeff the Domain Controller Admin. In case of latter, Jeff already has access to the Domain Controller machine, so this is moot.

    1. Good question, I didn’t cover that much in this post, but the NTLM hash can be obtained using another Mimikatz command sekurlsa::logonpasswords. The user logged in (Adam) must be a local Administrator to obtain other password data stored on that machine, which In this example would obtain a Domain Administrator (Jeff). So with no domain privileges at all and only local privileges, Adam is able to extract Jeff’s password hash and pass it to a domain controller to obtain Domain Admin rights.

    1. The simplest way to look at it is anything that can be done from a command prompt. That could be interacting with a system through PowerShell or directly connecting to a SQL Database. There are very few limits to what can be done using pass-the-hash.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.