In cryptanalysis and computer security, ‘pass the hash’ is a hacking technique that allows an attacker to
authenticate to a remote server/service by using the underlying NTLM and/or LanMan hash of a user’s
password, instead of requiring the associated plaintext password as is normally the case.
Metasploit Framework has a module for this technique: psexec. The psexec module is often used by
penetration testers to obtain access to a given system that you already know the credentials for. It was written
by sysinternals and has been integrated within the framework. Often as penetration testers, successfully gain
access to a system through some exploit, use meterpreter to grab the passwords or other methods like
fgdump, pwdump, or cachedump and then utilize rainbowtables to crack those hash values.
Which of the following is true hash type and sort order that is using in the psexec module’s ‘smbpass’?
A.
NT:LM
B.
LM:NT
C.
LM:NTLM
D.
NTLM:LM
lm:ntlm
https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4
A good article explaining that the LM hashes (LanMan, I think) come before the colon in the SAM database (Windows database of passwords) or the NTDS (Domain Controller version).
The article continues to explain that the NTHash is also known as the NTLM which is the hash you can use in ‘pass the hash’.
It continues… ‘Usually people call this the NTLM hash (or just NTLM), which is misleading, as Microsoft refers to this as the NTHash (at least in some places). I personally recommend to call it the NTHash, to try to avoid confusion.’
And the article states… ‘The v1 of the protocol uses both the NT and LM hash, depending on configuration and what is available’ and seems to explain that this process is stil used in the more modern v2 of the NTLMv2 (aka Net-NTLMv2).
So it would appear that LM:NT is correct, B.