The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).
Utilities in the toolkit:
- IAM.EXE/IAM-ALT.EXE: Pass-The-Hash for Windows. These tools allows you to change your current NTLM credentials withouth having the cleartext password but the hashes of the password. The program receives a username, domain name and the LM and NT hashes of the password; using this it will change in memory the NTLM credentials associated with the current windows logon session. After the program performs this operation, all outbound network connections to services that use for authentication the NTLM credentials of the currently logged on user will utilize the credentials modified by IAM.EXE. This includes 'net use', 'net view', many third-party DCOM services that use NTLM authentication, etc. This is basically 'pass-the-hash' for windows; one of the main advantages is that you don't need to use a modified version of samba or samba-tng and be restricted to the limited functionality they implement, you can now use windows and any third-party software with stolen hashes withouth having to obtain the cleartext version of a password. For more information take a look at this paper I wrote back in 2000 Modifying Windows NT Logon Credentials.
- WHOSTHERE.EXE/WHOSTHERE-ALT.EXE: These tools will list logon sessions with NTLM credentials (username,domain name, LM and NT hashes). Logon sessions are created by windows services that log in using specific users, remote desktop connections, etc. This tool has many uses, one that i think is interesting: Let's say you compromised a Windows Server that is part of a Windows Domain (e.g.: Backup server) but is NOT the domain controller. Since it is not the domain controller, you only have access to the local SAM and although you did effectively comprise a sensitive server you did not compromise the domain. However, it is very common in such situations to find that administrators are using Remote Desktop to connect to the compromised server to perform different tasks. So this is your chance, just wait for the administrator to log into the compromised server using remote desktop, at that point, run 'WHOSTHERE.EXE' and you will observe the administrators username,domain name, and NTLM hashes. Now go to your machine, use them with IAM.EXE and compromise the domain controller using the administrator's credentials.
- GENHASH.EXE: This is a small utility that generates LM and NT hashes using some 'undocumented' functions of the Windows API. This is a small tool to aid testing of IAM.EXE.
- Latest stable release (1.3), updated on February 29, 2008. gzip'd tarball