HashGrab
Retrieve the Hash of the current user
Last updated
Retrieve the Hash of the current user
Last updated
HashGrab requests a certificate from a Windows Certificate Authority (CA) for the User Account TGT held in your current session, uses PKINIT to obtain a TGT for the same Account, then performs the UnPAC-the-Hash technique to extract the Account's NTLM hash.
This approach can be valuable in situations where an account's TGT has been compromised.
Gaining access to the account's NTLM hash opens up various possibilities, including:
Cracking the hash to retrieve the plaintext password associated with the account.
Conducting pass-the-hash attacks, where the hash is used for unauthorized access.
Acquiring a new TGT if the existing one has expired, potentially granting further access.
Limitations
HashGrab relies on the presence of a Windows Certificate Authority (CA) in the environment. Without a functioning CA, the command will not be able to request the necessary certificate and will fail to operate.
HashGrab executes Rubeus behind the scenes to perform the UnPAC-the-Hash technique. It's important to note that some antivirus (AV) solutions may block Rubeus. This can result in HashGrab failing to achieve its intended purpose if AV interference occurs.
