Password Attacks - Pass the Hash (PtH)

i’m really stuck on this question “Try to connect via RDP using the Administrator hash. What is the name of the registry value that must be set to 0 for PTH over RDP to work? Change the registry key value and connect using the hash with RDP. Submit the name of the registry value name as the answer.”, I don’t understand the question and can’t think of a way to solve it, I tried RDP into the “Administrator” account “30B3783CE2ABF1AF70F77D0660CF3453” provided in the above question but after that I can’t do anything more, hope to receive help.

You need to change the AllowEncryptionOracle registry value to 0. This setting controls the use of encryption when connecting to a remote desktop (RDP) using a password hash. Setting this parameter to 0 disables encryption and allows password pass-through hash (PtH) attacks to be used when connecting via RDP. After changing the value of this parameter to 0, you will be able to connect to the remote computer using the hash of the administrator specified in the question.

1 Like

I don’t think it related to AllowEncryptionOracle, As this typically related to Oracle’s encryption algorithms and is not directly related to Remote Desktop Protocol (RDP) authentication.

For this flag, firstly you need to get shell of the Administrator using Pass the hash techniques you learn in the module (in my case i use evil-winrm technique and get the powershell).Now, i have create the “Disable Restricted Admin” registry key under the specified registry key path (HKLM\System\CurrentControlSet\Control\Lsa ) which is disabled by default and sets its value to 0. (for this see the command given in the module and run in target windows machine)
So, When its value is set to 0 (zero), Restricted Admin mode is enabled, meaning that RDP connections will use Restricted Admin mode by default. When set to 1 (one), Restricted Admin mode is disabled, and RDP connections will not use Restricted Admin mode.

Concept behind this registry key: The plaintext credentials of the user who initiates the RDP connection are not transmitted to the target system. Instead, the client sends the user’s NTLM hash or Kerberos ticket for authentication.

1 Like

I had tried many times, neither UserAuthentication nor fDenyTSConnections are submitable , it’s so confuse

oh my bad, it’s a very easy question, maybe i’m overthinking and maybe paste a space in my answer :crazy_face:

Stuck with david flag for a long time (no problem with julio)

For david, you have to successfully run RDP with administrators account to MS01 and run the mimikatz from there

(running from mimikatz from impacket-prompt won’t success)