The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).
Utilities in the toolkit:
- IAM.EXE/IAM-ALT.EXE: Pass-The-Hash for Windows. These tools allows you to change your current NTLM credentials withouth having the cleartext password but the hashes of the password. The program receives a username, domain name and the LM and NT hashes of the password; using this it will change in memory the NTLM credentials associated with the current windows logon session. After the program performs this operation, all outbound network connections to services that use for authentication the NTLM credentials of the currently logged on user will utilize the credentials modified by IAM.EXE. This includes 'net use', 'net view', many third-party DCOM services that use NTLM authentication, etc. This is basically 'pass-the-hash' for windows; one of the main advantages is that you don't need to use a modified version of samba or samba-tng and be restricted to the limited functionality they implement, you can now use windows and any third-party software with stolen hashes withouth having to obtain the cleartext version of a password. For more information take a look at this paper I wrote back in 2000 Modifying Windows NT Logon Credentials.
- WHOSTHERE.EXE/WHOSTHERE-ALT.EXE: These tools will list logon sessions with NTLM credentials (username,domain name, LM and NT hashes). Logon sessions are created by windows services that log in using specific users, remote desktop connections, etc. This tool has many uses, one that i think is interesting: Let's say you compromised a Windows Server that is part of a Windows Domain (e.g.: Backup server) but is NOT the domain controller. Since it is not the domain controller, you only have access to the local SAM and although you did effectively comprise a sensitive server you did not compromise the domain. However, it is very common in such situations to find that administrators are using Remote Desktop to connect to the compromised server to perform different tasks. So this is your chance, just wait for the administrator to log into the compromised server using remote desktop, at that point, run 'WHOSTHERE.EXE' and you will observe the administrators username,domain name, and NTLM hashes. Now go to your machine, use them with IAM.EXE and compromise the domain controller using the administrator's credentials.
- GENHASH.EXE: This is a small utility that generates LM and NT hashes using some 'undocumented' functions of the Windows API. This is a small tool to aid testing of IAM.EXE.
- Latest stable release (1.4), updated on July 2, 2008. pshtoolkit_v1.4-src.rar.
- Latest stable release (1.4), updated on July 2, 2008. pshtoolkit_v1.4.rar
Quick start:There's not much to be done, extract the .rar file and have fun!.
- You can compile the tools using Microsoft Visual C++ 2005 Express Edition (available at http://msdn.microsoft.com/vstudio/express/). Minor modifications might be needed to compile them using other C compilers.
- You must have Administrator privileges to run these tools (except for genhash.exe).
- IAM.EXE was mostly tested on WinXP and Windows Server 2003, although it should also work on Vista. WHOSTHERE.EXE now works correctly on Windows Server 2003. Support for Vista will be added.
Click the following link for an online copy of the documentation. This page contains instructions on how to use the tools.
Check out the WHATSNEW file.
This version contains modifications that make it work better in Windows Server 2003 and in German and French versions of WinXPSP2, checkout the WHATSNEW file. If you have any problems please let me know!.
This software is provided under the following license for non-commercial use.
Whether you want to report a bug, send a patch or give some suggestions on this package, drop us a few lines at oss- at- coresecurity.com . To contact me, Hernan Ochoa, the author, you can send email to hochoa -at -coresecurity.com
Release date: 2007
License type: Custom license (free for noncomercial use)