{"id":2166,"date":"2019-10-28T21:20:52","date_gmt":"2019-10-28T20:20:52","guid":{"rendered":"http:\/\/labalec.fr\/erwan\/?p=2166"},"modified":"2019-10-29T12:37:58","modified_gmt":"2019-10-29T11:37:58","slug":"nthash","status":"publish","type":"post","link":"https:\/\/labalec.fr\/erwan\/?p=2166","title":{"rendered":"NTHASH"},"content":{"rendered":"<p>Dont ask about the name : yes it does not mean much but this is all I got so far&#8230;<\/p>\n<p>A tribute to\u00a0<a href=\"https:\/\/github.com\/gentilkiwi\/mimikatz\">https:\/\/github.com\/gentilkiwi\/mimikatz<\/a>&#8230;<br \/>\nAnd generally speaking a tool to handle windows passwords and perform <a href=\"https:\/\/attack.mitre.org\/tactics\/TA0008\/\" rel=\"noopener\" target=\"_blank\">lateral movement<\/a>.<br \/>\n<a href=\"https:\/\/attack.mitre.org\/matrices\/enterprise\/windows\/\" rel=\"nofollow\">https:\/\/attack.mitre.org\/matrices\/enterprise\/windows\/<\/a>\u00a0is definitely worth reading as well.<\/p>\n<p>Source code on github <a href=\"https:\/\/github.com\/erwan2212\/NTHASH-FPC\">here<\/a>.<\/p>\n<p>Command line so far:<\/p>\n<p>Command line as below:<br \/>\nNTHASH \/setntlm [\/server:hostname] \/user:username \/newhash:xxx<br \/>\nNTHASH \/setntlm [\/server:hostname] \/user:username \/newpwd:xxx<br \/>\nNTHASH \/changentlm [\/server:hostname] \/user:username \/oldpwd:xxx \/newpwd:xxx<br \/>\nNTHASH \/changentlm [\/server:hostname] \/user:username \/oldhash:xxx \/newpwd:xxx<br \/>\nNTHASH \/changentlm [\/server:hostname] \/user:username \/oldpwd:xxx \/newhash:xxx<br \/>\nNTHASH \/changentlm [\/server:hostname] \/user:username \/oldhash:xxx \/newhash:xxx<br \/>\nNTHASH \/gethash \/password:password<br \/>\nNTHASH \/getsid \/user:username [\/server:hostname]<br \/>\nNTHASH \/getusers [\/server:hostname]<br \/>\nNTHASH \/getdomains [\/server:hostname<br \/>\nNTHASH \/dumpsam<br \/>\nNTHASH \/dumphashes [\/offline]<br \/>\nNTHASH \/dumphash \/rid:123 [\/offline]<br \/>\nNTHASH \/getsamkey [\/offline]<br \/>\nNTHASH \/getsyskey [\/offline]<br \/>\nNTHASH \/getlsakeys<br \/>\nNTHASH \/wdigest<br \/>\nNTHASH \/logonpasswords<br \/>\nNTHASH \/pth \/user:username \/password:myhash \/domain:mydomain<br \/>\nNTHASH \/enumcred<br \/>\nNTHASH \/enumcred2<br \/>\nNTHASH \/enumvault<br \/>\nNTHASH \/chrome [\/binary:path_to_database]<br \/>\nNTHASH \/firefox [\/binary:path_to_database]<br \/>\nNTHASH \/cryptunprotectdata \/binary:filename<br \/>\nNTHASH \/cryptunprotectdata \/input:string<br \/>\nNTHASH \/cryptprotectdata \/input:string<br \/>\nNTHASH \/runasuser \/user:username \/password:password [\/binary: x:\\folder\\bin.exe]<br \/>\nNTHASH \/runastoken \/pid:12345 [\/binary: x:\\folder\\bin.exe]<br \/>\nNTHASH \/runaschild \/pid:12345 [\/binary: x:\\folder\\bin.exe]<br \/>\nNTHASH \/runas [\/binary: x:\\folder\\bin.exe]<br \/>\nNTHASH \/runts \/user:session_id [\/binary: x:\\folder\\bin.exe]<br \/>\nNTHASH \/runwmi \/binary:c:\\folder\\bin.exe [\/server:hostname]<br \/>\nNTHASH \/enumpriv<br \/>\nNTHASH \/dumpprocess \/pid:12345<br \/>\nNTHASH \/bytetostring \/input:hexabytes<br \/>\nNTHASH \/stringtobyte \/input:string<br \/>\nNTHASH \/base64encodew \/input:string<br \/>\nNTHASH \/base64encode \/input:string<br \/>\nNTHASH \/base64decode \/input:base64string<br \/>\nNTHASH \/a_command \/verbose<br \/>\nNTHASH \/a_command \/system<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dont ask about the name : yes it does not mean much but this is all I got so far&#8230; A tribute to\u00a0https:\/\/github.com\/gentilkiwi\/mimikatz&#8230; And generally speaking a tool to handle windows passwords and perform lateral movement. https:\/\/attack.mitre.org\/matrices\/enterprise\/windows\/\u00a0is definitely worth reading as well. Source code on github here. Command line so far: Command line as below: <a href='https:\/\/labalec.fr\/erwan\/?p=2166' class='excerpt-more'>[&#8230;]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[118],"tags":[],"class_list":["post-2166","post","type-post","status-publish","format-standard","hentry","category-nthash","category-118-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2166","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2166"}],"version-history":[{"count":3,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2166\/revisions"}],"predecessor-version":[{"id":2198,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2166\/revisions\/2198"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2166"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}