Pass The Hash with Winpexec.py
Download winpexec.py
Now that we have translated our captured Net-NTLM login into a local Admin NTLM hash, we can attempt to pass said hash to gain internal access to the machine. There are 3 main methods I have used to significant effect:
Wmiexec is another Impacket remote command that uses WMIC to send commands and can bypass AV that catches smbexec.
Pass the Hash
we are using the hash obtained from lsassy, donpapi and sam dump.
Note: You have to replace the front part of the NTLM hash with 0’s in order for this to work.
Last updated