Never Ending Security

It starts all here

Pass the Hash toolkit, Winexe and Passing the Hash with Remote Desktop With Kali Linux

We’ve just pushed a bunch of packages, tools, and utilities to the main Kali repositories. These tools have been on the top of our wish list for a while and some of them were quite challenging to package. Before we start telling you of our packaging woes, here’s how to update your Kali installation and get the latest goodness from our repos:

apt-get update
apt-get dist-upgrade
apt-get install passing-the-hash unicornscan winexe
apt-get install unicornscan enum4linux polenum
apt-get install nfspy firmware-mod-kit wmis
# and if you haven’t already:
apt-get install nipper-ng jsql oclgausscrack ghost-phisher uniscan
apt-get install lbd automater arachni bully inguma sslsplit dumpzilla
apt-get install owasp-mantra-ff recon-ng ridenum regripper jd-gui

Pass The Hash Toolkit

We have finally finished packaging the Pass the Hash Toolkit in an elegant and intelligent way, thanks to samba4. Samba 4 is architectured differently than previous versions and many parts of the core functionality have been moved into libraries. This made it possible for us to easily override a couple of functions in those libraries with the help of the dynamic loader (using LD_PRELOAD) and saved us the need to recompile a patched samba in order to introduce the PTH tookit to Kali. All PTH tools and utilities have a “pth-” prefix.


Winexe (also with PTH capabilities) was also challenging to get running in Kali due to mysterious segfaults in the application on 32 bit Kali systems. Fortunately, those issues were solved and the latest Winexe is now available in the Kali repositories.

Kali Linux contains a large number of very useful tools that are beneficial to information security professionals. One set of such tools belongs to the Pass-the-Hash toolkit, which includes favorites such as pth-winexe among others, already packaged in Kali Linux. An example of easy command line access using pth-winexe is shown below.


We constantly strive to include new, useful tools to our repositories. Sometimes we feel that some of these tools do not get the attention they deserve and go under-reported. One such recent addition is the version of FreeRDP, which allows a penetration tester to use a password hash instead of a plain text password for authentication to the remote desktop service in Windows 2012 R2 and Windows 8.1.

What’s the big deal, you say? Traditional “Pass-the-Hash” attacks can be very powerful, but they are limited to command line access. Although in most cases that is enough, sometimes GUI access is just a better way to accomplish things.

A few months ago, Mark Lowe from the Portcullis Labs published a blog post on research he conducted against Windows 2012 R2 and Windows 8.1 RDP security improvements. It turns out that Microsoft, in their quest to mitigate “Pass-the-Hash” attacks, introduced something called “Restricted Admin” mode.  You can read more about it here.

Inadvertently however, this new security feature actually enabled the use of a password hash for RDP authentication purposes, thereby giving many pentesters once again a reason to smile. To add to the validity of the research by Mark, the FreeRDP project has added native support for Pass-the-Hash authentication to the FreeRDP package, which is now in Kali repos. To enjoy this new feature, simply install freerdp-x11.

apt-get update
apt-get install freerdp-x11

The new xfreerdp executable supports the “/pth” flag as shown below using our “offsec” domain user and the “password” hash.


And that’s it! RDP sessions using harvested password hashes. Again, keep in mind that this only works on Windows 2012 R2 and Windows 8.1. To the best of our knowledge, the “Restricted Admin” feature has not been backported yet and considering this, it may never be.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s