pshtoolkit is short for Pass The Hash Toolkit, and is a program (or rather a small collection of programs) written and released as OSS by CORE. Its basic use is to authenticate to Windows systems by passing the hash of the password – hence the name – rather than the password. Here are a couple of things I discovered while playing around with it:
- You usually need high (SYSTEM account) privileges to run these programs, otherwise they will fail with cryptic messages. The easiest way to do this is to take psexec and run the following command:
psexec \127.0.0.1 -s c:windowssystem32cmd.exe. This will start a command prompt with SYSTEM privileges (the downside of it is that in the started shell you won’t have things like tab completition :-()
- What is the difference between the “normal” and the *-alt versions? The “normal” executables try to manipulate data directly in the LSASS process. To do this, they need the offset for the data structures, which change from version to version. Although they contain some code do detect the data structures “heuristically”, this doesn’t always give the expected result. The “alternative” (-alt) executables inject code in the LSASS process, which (I assume) peforms the same action by calling undocumented API’s, which is more stable between Windows versions.
- iam-alt.exe has a bug. You can read the details on the HEXALE blog. To get a working version until the new version is released, you can do two things:
- Modify the source code and recompile it, as the blogpost suggests
- Fire up a hex editor (like HxD for Windows, or mcedit for Linux) and search for the string “00x” (the inversion is because the x86 is a little endian procesor). You should find two occurrences. Replace them with the literal zero bytes. This should do the trick.