GoGoCreds: Unmasking Windows Internals with a Custom Pass-the-Hash Tool + Video

Listen to this Post

Featured Image

Introduction:

Pass-the-Hash (PtH) attacks remain one of the most potent post-exploitation techniques in an adversary’s arsenal, allowing attackers to authenticate as a user using only the NTLM hash without ever needing the plaintext password. While tools like Mimikatz have long dominated this space, a new proof-of-concept tool, GoGoCreds, offers a deep dive into the Windows kernel APIs, exposing the mechanics of credential theft and impersonation by directly interacting with the Local Security Authority (LSA).

Learning Objectives:

  • Understand the step-by-step Windows API sequence required to perform a Pass-the-Hash attack.
  • Learn how to compile and execute a custom PtH tool (GoGoCreds) to inject an NTLM hash into a sacrificial process.
  • Identify key mitigation strategies and detection opportunities to defend against PtH attacks in enterprise environments.

You Should Know:

  1. Anatomy of the Attack: The GoGoCreds API Chain

Maxwell Skinner’s GoGoCreds tool serves as an educational lens into how Windows authentication can be manipulated. Rather than relying on high-level automation, the tool manually executes a chain of specific Windows API calls to achieve its goal. Understanding this chain is critical for both red teamers and defenders.

Step‑by‑step guide explaining what this does and how to use it.

The tool begins by creating a sacrificial process using CreateProcessWithLogonW. This is not the target process but a placeholder with `LOGON_NETCREDENTIALS_ONLY` context. Once this process is running, the tool uses `OpenProcessToken` and `GetTokenInformation` to extract the Logon Session LUID (Locally Unique Identifier) from the token statistics. This LUID acts as a pointer to the specific logon session we wish to hijack.

Next, the tool obtains a handle to the `lsass.exe` process (the Local Security Authority Subsystem Service) via OpenProcess. It then uses `DuplicateTokenEx` and `SetThreadToken` to impersonate the SYSTEM context, granting the necessary privileges to interact with the LSA. With elevated privileges, `LsaConnectUntrusted` establishes a communication channel to the LSA without needing Trusted Computing Base (TCB) privileges—a clever bypass.

Finally, the core swap occurs: `LsaLookupAuthenticationPackage` finds the `msv1_0` authentication package identifier. The tool then calls `LsaCallAuthenticationPackage` with the `MsV1_0DeriveCredential` request (Message Type 10), effectively replacing the dummy hash in the sacrificial process with the target NTLM hash.

2. Practical Usage: Setting Up and Running GoGoCreds

To replicate this research, you first need the necessary hashes. Currently, GoGoCreds does not extract hashes natively; it requires them to be obtained via other means like Procdump and pypykatz.

Step‑by‑step guide explaining what this does and how to use it.

Step 1: Extract the NTLM Hash

On a compromised Windows machine, use Sysinternals Procdump to dump the LSASS process:

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Transfer the dump to your analysis machine and extract the hash using pypykatz:

pypykatz lsa minidump lsass.dmp

Copy the NTLM hash for the target user (e.g., `aad3b435b51404eeaad3b435b51404ee` for blank LM followed by the NTLM).

Step 2: Compile GoGoCreds

Clone the repository and compile the Go binary:

git clone https://github.com/Maxwell-Blueteam25/GoGoCreds.git
cd GoGoCreds
go build gogocreds.go

Step 3: Execute the Attack

Run the compiled binary with the target domain, user, and NTLM hash:

gogocreds.exe <Domain> <Username> <NTLMHash>

For example:

gogocreds.exe CONTOSO Administrator aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c

If successful, the tool will create a new process token that now authenticates as the target user using the supplied hash.

3. Defensive Analysis: Detecting PtH API Calls

Understanding the API calls used by GoGoCreds allows defenders to build detections. While Mimikatz often triggers broad detections, a custom tool using these specific calls can evade signature-based defenses unless monitored behaviorally.

Step‑by‑step guide explaining what this does and how to use it.

Windows Event Log Monitoring:

Enable Process Creation (Event ID 4688) and LSASS access auditing. Look for processes that:
– Call `CreateProcessWithLogonW` with `LOGON_NETCREDENTIALS_ONLY` (often suspicious in non-application contexts).
– Open a handle to `lsass.exe` with high privileges (PROCESS_QUERY_INFORMATION, PROCESS_VM_READ).

Sysmon Configuration:

Deploy Sysmon to log process access (Event ID 10). Filter for `TargetImage: lsass.exe` and SourceImage: not in (C:\Windows\System32\svchost.exe, etc.).

Command Line to Detect:

Using PowerShell, you can query for suspicious LSASS access:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=10} | Where-Object { $_.Message -like "lsass.exe" }

4. Hardening Against PtH: Mitigation Techniques

The most effective way to combat PtH attacks is to reduce the reliance on NTLM and implement controls that limit credential reuse.

Step‑by‑step guide explaining what this does and how to use it.

1. Enable LSA Protection (RunAsPPL):

Adding the `RunAsPPL` registry key prevents non-protected processes (like most malware) from accessing LSASS memory.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000001

A reboot is required.

2. Disable NTLM:

Where possible, move to Kerberos. For legacy systems, restrict NTLM usage via Group Policy:

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options

Set “Network security: Restrict NTLM: Incoming NTLM traffic” to “Deny all accounts”.

3. Limit Local Admin Privileges:

PtH is most dangerous when the attacker has local admin rights. Implementing the Local Administrator Password Solution (LAPS) ensures unique local admin passwords per machine, reducing lateral movement.

5. Expanding the Tool: Future Capabilities and Research

Maxwell Skinner noted that the next feature for GoGoCreds is to parse hashes internally, removing the dependency on Procdump and pypykatz. This points toward a more integrated tool that could automate the entire credential harvesting and lateral movement chain.

Step‑by‑step guide explaining what this does and how to use it.

To extend the tool, one could integrate the `MiniDumpWriteDump` API directly into the Go binary to capture LSASS memory without external tools. Alternatively, using the `AdjustTokenPrivileges` API to enable `SeDebugPrivilege` programmatically ensures the tool can operate fully autonomously.

Code Snippet (Conceptual in Go):

var token syscall.Token
procHandle, _ := syscall.OpenProcess(syscall.PROCESS_QUERY_INFORMATION, false, pid)
syscall.OpenProcessToken(procHandle, syscall.TOKEN_ADJUST_PRIVILEGES|syscall.TOKEN_QUERY, &token)
// Enable SeDebugPrivilege via LookupPrivilegeValue and AdjustTokenPrivileges
  1. The Bigger Picture: AI and Automation in Credential Attacks

As we see more tools like GoGoCreds emerging, the intersection of AI and offensive security is becoming critical. While AI isn’t directly used in this PoC, the automation of such API chains is where AI agents can augment red teaming by chaining exploits and adapting to defenses in real-time.

Step‑by‑step guide explaining what this does and how to use it.

For defenders, AI-based EDR (Endpoint Detection and Response) solutions can now model normal LSASS access patterns. A sudden call to `LsaCallAuthenticationPackage` with `MsV1_0DeriveCredential` from a non-standard process (like a compiled Go binary) would flag as anomalous. Training models on these specific API sequences can significantly reduce false positives.

What Undercode Say:

  • Key Takeaway 1: GoGoCreds provides a transparent, educational view into the Pass-the-Hash attack chain by exposing the raw Windows API calls, making it an invaluable tool for understanding how authentication tokens are manipulated at the kernel level.
  • Key Takeaway 2: Effective detection of PtH attacks requires behavioral monitoring of LSASS access and specific API patterns, rather than relying solely on signature-based detection for known tools like Mimikatz.

Prediction:

As offensive tooling becomes more modular and API-driven, we will see a surge in custom PtH implementations that leverage Go and other compiled languages to evade EDR hooks. Defenders will need to shift from blocking specific binaries to enforcing strict integrity policies like LSA Protection and restricting NTLM usage entirely. The future of Windows credential security lies in the complete deprecation of NTLM in favor of Kerberos with modern protocols, forcing attackers to pivot to token theft and more complex identity attacks.

▶️ Related Video (90% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Maxwell Skinner – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky