Passing the hash for SMB shares
Maybe you have heard about it since there is a little hype about it right now.
Here's a short description of what passing the hash is all about:
When you normally log in to a SMB share you have to enter your username/password combination.
But the good thing is, you do not have to know the password when you know the password hash. That means you can log in to any SMB share where you do know the username/passwordhash combination.
The main advantage is that Rainbow Tables for LM/NTLM hashes become redundant. You do not have to know the password.
How does it work?
To authenticate to a SMB share, the Samba client/Windows only uses the password hash but not the password, so all that has to be done is use a modified SMB client which takes the passwordhash.
In summary all that is needed is a modified Samba client which uses username/passwordhash combination instead of username/password cominations!
A modified Samba client can be found here:
More information on LM/NTLM authentication can be found here:
A SMB proxy can be found here:
For Windows, the passwordhash is changed using dll injection: