As red team members and pen testers, we are often tasked with testing the security of a target’s Remote Desktop Protocol (RDP) service. Pass-the-hash (PTH) is a technique commonly used by attackers to gain access to a system through stolen credentials. In this article, we will explore using the xfreerdp tool to connect to an RDP server using PTH techniques.

What is Pass-the-Hash?

Pass-the-Hash is a technique for authenticating to a system using the hash of a user’s password instead of the actual password. The hash is obtained by stealing the password hash from the target system. This technique is commonly used by attackers who have already compromised a system and have access to the password hashes.

When a user logs into a Windows system, the password is hashed using the NTLM algorithm and stored in memory as a hash value. This hash value is then used to authenticate the user for subsequent logins. Attackers can obtain the password hash through various techniques, such as using Mimikatz, WCE, or other similar tools to extract hashes from memory or the SAM database. Once the hash value is obtained, it can be used to authenticate to the system as the user without needing the actual password.

Using Pass-the-Hash to Connect to an RDP Server

Now that we understand Pass-the-Hash, let’s explore using this technique to connect to an RDP server using xfreerdp. Xfreerdp is an open-source RDP client that supports Pass-the-Hash authentication.

First, we need to obtain a user’s password hash to access the target RDP server. We can use Mimikatz, WCE (Windows Credential Editor), or similar tools to extract the password hash from memory or the SAM database.

Here’s an example command to connect to an RDP server using xfreerdp with Pass-the-Hash authentication:

xfreerdp /v:<target_ip> /u:<username> /p:<hash_value> /t

Let’s break down this command:

  • /v:<target_ip> specifies the IP address of the target RDP server.
  • /u:<username> specifies the username of the user whose password hash we obtained.
  • /p:<hash_value> provides the NTLM hash value obtained from the target system.
  • /t enables TLS security for the connection.

Once we execute this command, xfreerdp will attempt to authenticate to the RDP server using the password hash. If successful, we will be connected to the RDP server as the specified user. Note that the target system must have RDP enabled and the user account must have the necessary permissions to establish remote connections.

Here’s an example command using xfreerdp to connect to an RDP server with Pass-the-Hash authentication:

xfreerdp /v:192.168.1.10 /u:admin /p:aad3b435b51404eeaad3b435b51404ee:7b455e245e1c7f1d2c3a7d305ba65f22 /t

In this example, we are attempting to connect to an RDP server with the IP address 192.168.1.10 using the username “admin” and the NTLM hash. Note that the hash format includes both the LM hash (aad3b435b51404eeaad3b435b51404ee) and the NTLM hash (7b455e245e1c7f1d2c3a7d305ba65f22) separated by a colon.

Alternative Tools for Pass-the-Hash RDP

While xfreerdp is a popular choice for pass-the-hash RDP connections, there are other tools available:

  • rdesktop: An older RDP client that supports pass-the-hash with specific patches or modifications
  • FreeRDP: The parent project of xfreerdp, offering similar functionality
  • CrackMapExec: A post-exploitation tool that can perform pass-the-hash attacks across multiple systems, including RDP connections
  • Impacket: Python-based tools that support various authentication methods including pass-the-hash

Limitations of Pass-the-Hash

While Pass-the-Hash can be an effective technique for gaining access to a system, this approach has some limitations. One of the main limitations is that Pass-the-Hash only works if the user whose password hash was stolen has access to the system. If the user does not have access, then this technique will not work.

Another limitation is that Pass-the-Hash only works for authentication purposes. Once authenticated, the attacker still needs to escalate their privileges to gain further access to the system. This can be achieved through privilege escalation techniques, such as exploiting vulnerabilities or using other methods to obtain higher-level access.

Additionally, some security tools can detect pass-the-hash attacks. For example, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) may detect and block these attacks. Other security tools, such as intrusion detection systems (IDS), can also identify pass-the-hash activity and alert security teams. Modern Windows systems with Credential Guard enabled can also prevent pass-the-hash attacks by isolating credential material in a secure environment.

Therefore, it’s essential to understand Pass-the-Hash’s limitations and use it in combination with other techniques to achieve our goals as red team members and pen testers.

Real-World Examples

Pass-the-hash has been used in various real-world attacks. One example is the Target breach in 2013, where reports indicate that the attackers may have used a combination of techniques, including Pass-the-Hash, to gain access to the Target network and steal customer data.

Another example is the 2014 Sony Pictures hack, in which attackers used stolen credentials and Pass-the-Hash to gain access to the network and steal sensitive data. They also used other techniques, such as malware and social engineering, to access the network.

Conclusion

Pass-the-Hash is a powerful post-compromise technique for accessing systems using stolen credentials. As red team members and pen testers, it’s essential to understand how and when to use this technique effectively. Xfreerdp is a valuable tool for connecting to an RDP server using Pass-the-Hash authentication. However, it’s essential to understand Pass-the-Hash’s limitations and use it in combination with other techniques to achieve our goals. Using Pass-the-Hash responsibly helps red teamers test defenses and strengthen organizational security.