hey, how do i get a shell on that machine with the local user hash ? i've seen other tutorials and they use pth-winexe to open a cmd but using domain credentials not local ones, can i do it with my local one ? I'm trying this: pth-winexe -U hostname/User%Hash //computerIP cmd.exe but i get NT_STATUS_CONNECTION_RESET
@@AmiWhom-dy9wh Smb relay lets you relay the creds that you captured to other machines and if the creds are of a high value user, you will dump the local hashes on those machines. For changing a password, you need ACLs access like Generic All on the user or force reset password something like this.
@@thatquietkid8610 i assumed that dumping the hashes is a command and when the creds are relayed it also execute some code with it to dump the hashes, and so i thought it was possible to execute other code to do something else. Am i too wrong ?
Thank you man, This was a pretty good explination
hey, how do i get a shell on that machine with the local user hash ? i've seen other tutorials and they use pth-winexe to open a cmd but using domain credentials not local ones, can i do it with my local one ? I'm trying this:
pth-winexe -U hostname/User%Hash //computerIP cmd.exe
but i get
NT_STATUS_CONNECTION_RESET
Try running commands using crackmapexec and using --local-auth flag.
I think -x is for running commands. In cmd and powershell( i think it's -x and -X)
I think winrs tool can be used for that as well. Google a bit, you will find it
@@thatquietkid8610 couldnt make winrs accept hash instead of password, but psexec did it
@@AmiWhom-dy9wh nice
is there something i can do if signing is enabled ?
i don't think so. If smb signing is enabled and enforced, the attack won't work.
@@thatquietkid8610 makes sense, another question, how do i execute something else other than dumping hashes ? like changing a password
@@AmiWhom-dy9wh Smb relay lets you relay the creds that you captured to other machines and if the creds are of a high value user, you will dump the local hashes on those machines. For changing a password, you need ACLs access like Generic All on the user or force reset password something like this.
@@thatquietkid8610 i assumed that dumping the hashes is a command and when the creds are relayed it also execute some code with it to dump the hashes, and so i thought it was possible to execute other code to do something else. Am i too wrong ?
@@AmiWhom-dy9wh what you said is intriguing. Give me some time to think. I will get back to you.
Hindi may
No
U r pathetic @@thatquietkid8610