Amnesiac
  • Welcome
  • Intended Usage
  • Get-Started
    • Quick Start
  • Main Menu
    • Available Commands
    • Main Menu Structure
    • [0] Scan Network for Admin Access
    • [1] Single-Listener (single target)
    • [2] Global-Listener (multiple targets)
    • [3] Scan Network for Listening Targets
    • Bookmarks
    • Payload Types
    • Payload Delivery
    • Serving Scripts
    • Sessions Display
    • Targets
    • Terminate Sessions
  • Sessions
    • Core Commands
      • Download
      • Exit
      • GListener
      • GLSet
      • Help
      • Kill
      • OneIsNone
      • Scramble
      • Sync
      • Toggle
      • Upload
    • System Commands
      • AV
      • Net
      • Process
      • Services
      • Sessions
      • Software
      • Startup
    • User Activity
      • ClearLogs
      • Clipboard
      • History and ClearHistory
      • Keylog and KeylogRead
      • ScreenShot and Screen4K
    • Scripts Loading
      • Mimi
      • Patch and PatchNet
      • PInject
      • PowerView
      • Rubeus
      • TLS
    • Local Actions
      • Ask4Creds
      • AutoMimi
      • CredMan
      • Dpapi
      • GetSystem
      • HashGrab
      • Hive
      • Kerb
      • Migrate
      • Monitor
    • Domain Actions
      • DCSync
      • CredValidate
      • Impersonation
      • LocalAdminAccess
      • PassSpray
      • Remoting
      • SessionHunter
  • Beware
    • Encryption
    • Non-Domain-Joined systems
    • SessionID 0
    • Timeouts
Powered by GitBook
On this page
  1. Sessions
  2. Local Actions

HashGrab

Retrieve the Hash of the current user

Last updated 1 year ago

HashGrab requests a certificate from a Windows Certificate Authority (CA) for the User Account TGT held in your current session, uses PKINIT to obtain a TGT for the same Account, then performs the UnPAC-the-Hash technique to extract the Account's NTLM hash.

This approach can be valuable in situations where an account's TGT has been compromised.

Gaining access to the account's NTLM hash opens up various possibilities, including:

  • Cracking the hash to retrieve the plaintext password associated with the account.

  • Conducting pass-the-hash attacks, where the hash is used for unauthorized access.

  • Acquiring a new TGT if the existing one has expired, potentially granting further access.

Limitations

HashGrab relies on the presence of a Windows Certificate Authority (CA) in the environment. Without a functioning CA, the command will not be able to request the necessary certificate and will fail to operate.

HashGrab executes Rubeus behind the scenes to perform the UnPAC-the-Hash technique. It's important to note that some antivirus (AV) solutions may block Rubeus. This can result in HashGrab failing to achieve its intended purpose if AV interference occurs.