DarthSidious
  • Darth Sidious
  • GETTING STARTED
    • Getting started
    • External network access to Domain Admin
    • Intro to Windows hashes
  • Building a lab
    • Building a lab
    • Preparing Kali
    • Building a small lab
    • Building a lab with ESXI and Vagrant
    • Cuckoo malware analysis lab
  • Initial access
    • Password spraying
    • Initial access through exchange
  • ENUMERATION
    • Powershell
    • BloodHound
    • PowerView
    • Azure enumeration
  • Execution
    • Pass the hash
    • Responder with NTLM relay and Empire
    • DeathStar
    • CrackMapExec
  • Privilege escalation
    • Mimikatz
    • Token Impersonation
    • Juicy Potato
    • ALPC bug 0day
  • Defense evasion
    • Bypassing Applocker and Powershell contstrained language mode
    • From RDS app to Empire shell
    • Stealth
  • OTHER
    • Link encyclopedia
    • Writeups
      • lkylabs v1
    • War stories
      • Domain admin in 30 minutes
  • Credential access
    • Password cracking and auditing
  • Command & Control
    • SILENTTRINITY
Powered by GitBook
On this page
  1. Execution

Pass the hash

PreviousAzure enumerationNextResponder with NTLM relay and Empire

Last updated 7 years ago

The first goal of a Windows pentest is to get a user or a shell as a user.

You CAN perform Pass-The-Hash attacks with NTLM hashes.

You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes.

You can pass the hash using a metasploit module called .

If you want test your newly found hash across multiple machine smb_login Metasploit module is how it's done. However, trying this with a domain hash will lock the account out of the domain, assuming they have a lockout policy.

Empire also has options for performing pass-the-hash in the credentials/mimikatz/pth module.

Ranger

There is an insane tool named Ranger that can interact with Windows based systems in oh so many ways.

Ranger is a command-line driven attack and penetration testing tool, which as the ability to use an instantiated catapult server to deliver capabilities against Windows Systems. As long as a user has a set of credentials or a hash set (NTLM, LM, LM:NTLM) he or she can gain access to systems that are apart of the trust.

PSExec
https://www.powershellempire.com/?page_id=270
https://github.com/funkandwagnalls/ranger